如何使用基于java的配置创建两个http安全配置?
在XML配置中,我可以创建以下内容:
<security:http pattern="/api/**"
create-session="never"
use-expressions="true">
<security:http-basic entry-point-ref="xBasicAuthenticationEntryPoint"/>
<security:session-management />
<security:intercept-url pattern="/tests/**" access="isAuthenticated()"/>
<security:intercept-url pattern="/api/**" access="isAuthenticated()"/>
</security:http>
<security:http auto-config="true" use-expressions="true" realm="ACME">
<security:intercept-url pattern="/favicon.ico" access="permitAll" />
<security:intercept-url pattern="/static/**" access="permitAll"/>
<security:intercept-url pattern="/error/**" access="permitAll" />
<security:intercept-url pattern="/" access="permitAll"/>
<security:intercept-url pattern="/login" access="permitAll"/>
<security:intercept-url pattern="/logout" access="isAuthenticated()"/>
<security:form-login login-page='/login'
authentication-failure-url="/login?error"/>
<security:logout logout-url="/logout" logout-success-url="/"/>
</security:http>
这将允许所有对/api/**
的调用在没有会话的情况下不尝试对用户进行身份验证
如何使用基于Java的配置创建相同的配置
我的WebSecurityConfigurerAdapter#configure(HttpSecurity)
方法如下所示:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilter(switchUserFilter())
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/static/**").permitAll()
.anyRequest().authenticated()
.and().formLogin()
.loginPage("/login")
.permitAll()
.defaultSuccessUrl("/")
.and().logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/");
}
# 1 楼答案
这在Spring安全参考手册中是明确的,您将尽可能多的
@Configuration
注释的内部类与@Order()
注释放在一起,以指定首先检查哪些类。在您的示例中,它可能看起来像: