春季安全配置未生效

huangapple go评论75阅读模式
英文:

Spring Security Configuration is not applied

问题

我有以下配置,需要为 /api/v1/** 端点配置 HTTPBasic 认证,并且我想为 /users/ 的 URL 模式配置 form 认证。当我按照以下配置运行时,Web 请求的配置正常工作,但 API 的配置却没有生效。没有应用任何安全性。我哪里做错了?

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

    @Order(1)
    @Configuration
    public static class MVCSecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Bean
        public BCryptPasswordEncoder getBCryptPasswordEncoder() {
            return new BCryptPasswordEncoder();
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/users/**")
                .csrf()
                    .and()
                .authorizeRequests()
                .antMatchers(
                    "/resources/**", "/users/register", "/users/signup", "/users/confirm", 
                    "/users/user-action", "/users/reset-password", "/confirm", "/webjars/**"
                )
                .permitAll()
                .antMatchers("/users/**")
                .hasRole("USER")
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                    .loginPage("/login")
                    .usernameParameter("username")
                    .passwordParameter("password");

            http
                .authorizeRequests()
                .antMatchers("/api/v1/users/**")
                .hasRole("USER")
                .anyRequest()
                .authenticated()
                .and()
                .httpBasic();
        }
    }
}
英文:

I have the below configuration where i need to configure HTTPBasic authentication for /api/v1/** endpoints and i want to configure form authentication for /users/ url pattern. When i run with the below configuration, the configuration for web requests is working correctly but the configuration for API is not working. No security is being applied. Where am I going wrong?

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Order(1)
@Configuration
public static class MVCSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
public BCryptPasswordEncoder getBCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.
antMatcher("/users/**")
.csrf()
.and()
.authorizeRequests()
.antMatchers(
"/resources/**", "/users/register", "/users/signup", "/users/confirm", "/users/user-action", "/users/reset-password", "/confirm", "/webjars/**")
.permitAll()
.antMatchers("/users/**")
.hasRole("USER")
.anyRequest()
.authenticated()
.and()
.formLogin().loginPage("/login").usernameParameter("username").passwordParameter("password");
http
.authorizeRequests()
.antMatchers("/api/v1/users/**")
.hasRole("USER")
.anyRequest()
.authenticated()
.and()
.httpBasic();
}
}

答案1

得分: 3

我已经将您的代码与下面的配置一起使用:

@EnableWebSecurity
public class SecurityConfiguration {

    public class ApiSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.antMatcher("/api/v1/users/**")
                .authorizeRequests().anyRequest()
                .hasRole("USER").and().httpBasic();
        }

    }

    @Configuration
    @Order(2)
    public class MVCSecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.csrf().and().authorizeRequests()
                    .antMatchers("/resources/**", "/users/register", "/users/signup", "/users/confirm",
                            "/users/user-action", "/users/reset-password", "/confirm", "/webjars/**").permitAll()
            .antMatchers("/users/**").hasRole("USER")
            .and()
            .formLogin().usernameParameter("username").passwordParameter("password");
        }
    }

}

查看关于Spring Security的文档以及示例代码此处

英文:

I have put your code to work with this configuration bellow:

@EnableWebSecurity
public class SecurityConfiguration {
public class ApiSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/v1/users/**")
.authorizeRequests().anyRequest()
.hasRole("USER").and().httpBasic();
}
}
@Configuration
@Order(2)
public class MVCSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().and().authorizeRequests()
.antMatchers("/resources/**", "/users/register", "/users/signup", "/users/confirm",
"/users/user-action", "/users/reset-password", "/confirm", "/webjars/**").permitAll()
.antMatchers("/users/**").hasRole("USER")
.and()
.formLogin().usernameParameter("username").passwordParameter("password");
}
}
}

View docs for Spring Security and sample code here.

huangapple
  • 本文由 发表于 2020年5月30日 20:37:11
  • 转载请务必保留本文链接:https://go.coder-hub.com/62102534.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定