Python中文网

一个关于 编程问题的解答网站.

有 Java 编程相关的问题?

你可以在下面搜索框中键入要查询的问题!

如何使用基于java的配置创建两个http安全配置?

11 月,3 周 Questions & Answers

在XML配置中,我可以创建以下内容:

<security:http pattern="/api/**"
               create-session="never"
               use-expressions="true">
  <security:http-basic entry-point-ref="xBasicAuthenticationEntryPoint"/>
  <security:session-management />
  <security:intercept-url pattern="/tests/**" access="isAuthenticated()"/>
  <security:intercept-url pattern="/api/**" access="isAuthenticated()"/>
</security:http>

<security:http auto-config="true" use-expressions="true" realm="ACME">
  <security:intercept-url pattern="/favicon.ico" access="permitAll" />
  <security:intercept-url pattern="/static/**" access="permitAll"/>
  <security:intercept-url pattern="/error/**" access="permitAll" />
  <security:intercept-url pattern="/" access="permitAll"/>
  <security:intercept-url pattern="/login" access="permitAll"/>
  <security:intercept-url pattern="/logout" access="isAuthenticated()"/>
  <security:form-login login-page='/login'
                       authentication-failure-url="/login?error"/>
  <security:logout logout-url="/logout" logout-success-url="/"/>
</security:http>

这将允许所有对/api/**的调用在没有会话的情况下不尝试对用户进行身份验证

如何使用基于Java的配置创建相同的配置

我的WebSecurityConfigurerAdapter#configure(HttpSecurity)方法如下所示:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.addFilter(switchUserFilter())
        .authorizeRequests()
        .antMatchers("/").permitAll()
        .antMatchers("/static/**").permitAll()
        .anyRequest().authenticated()
        .and().formLogin()
              .loginPage("/login")
              .permitAll()
              .defaultSuccessUrl("/")
        .and().logout()
              .logoutUrl("/logout")
              .logoutSuccessUrl("/");
}

共 (1) 个答案

  1. # 1 楼答案

    这在Spring安全参考手册中是明确的,您将尽可能多的@Configuration注释的内部类与@Order()注释放在一起,以指定首先检查哪些类。在您的示例中,它可能看起来像:

    @Order(1)
@Configuration
private static class ApiSecurityConfigurationAdapter
        extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/api/**")
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
            .and.httpBasic().authenticationEntryPoint(xBasicAuthenticationEntryPoint)
            .and.authorizeRequests()
                .anyRequest().authenticated();
    }
}

@Configuration
private static class NormalSecurityConfigurationAdapter
        extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilter(switchUserFilter())
            .authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/static/**").permitAll()
            .anyRequest().authenticated()
            .and().formLogin()
                  .loginPage("/login")
                  .permitAll()
                  .defaultSuccessUrl("/")
            .and().logout()
                  .logoutUrl("/logout")
                  .logoutSuccessUrl("/");
    }
}