问题

我有以下配置，需要为 /api/v1/** 端点配置 HTTPBasic 认证，并且我想为 /users/ 的 URL 模式配置 form 认证。当我按照以下配置运行时，Web 请求的配置正常工作，但 API 的配置却没有生效。没有应用任何安全性。我哪里做错了？

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

    @Order(1)
    @Configuration
    public static class MVCSecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Bean
        public BCryptPasswordEncoder getBCryptPasswordEncoder() {
            return new BCryptPasswordEncoder();
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/users/**")
                .csrf()
                    .and()
                .authorizeRequests()
                .antMatchers(
                    "/resources/**", "/users/register", "/users/signup", "/users/confirm", 
                    "/users/user-action", "/users/reset-password", "/confirm", "/webjars/**"
                )
                .permitAll()
                .antMatchers("/users/**")
                .hasRole("USER")
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                    .loginPage("/login")
                    .usernameParameter("username")
                    .passwordParameter("password");

            http
                .authorizeRequests()
                .antMatchers("/api/v1/users/**")
                .hasRole("USER")
                .anyRequest()
                .authenticated()
                .and()
                .httpBasic();
        }
    }
}

英文:

I have the below configuration where i need to configure HTTPBasic authentication for /api/v1/** endpoints and i want to configure form authentication for /users/ url pattern. When i run with the below configuration, the configuration for web requests is working correctly but the configuration for API is not working. No security is being applied. Where am I going wrong?

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Order(1)
@Configuration
public static class MVCSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
public BCryptPasswordEncoder getBCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.
antMatcher(&quot;/users/**&quot;)
.csrf()
.and()
.authorizeRequests()
.antMatchers(
&quot;/resources/**&quot;, &quot;/users/register&quot;, &quot;/users/signup&quot;, &quot;/users/confirm&quot;, &quot;/users/user-action&quot;, &quot;/users/reset-password&quot;, &quot;/confirm&quot;, &quot;/webjars/**&quot;)
.permitAll()
.antMatchers(&quot;/users/**&quot;)
.hasRole(&quot;USER&quot;)
.anyRequest()
.authenticated()
.and()
.formLogin().loginPage(&quot;/login&quot;).usernameParameter(&quot;username&quot;).passwordParameter(&quot;password&quot;);
http
.authorizeRequests()
.antMatchers(&quot;/api/v1/users/**&quot;)
.hasRole(&quot;USER&quot;)
.anyRequest()
.authenticated()
.and()
.httpBasic();
}
}

答案1

得分: 3

我已经将您的代码与下面的配置一起使用：

@EnableWebSecurity
public class SecurityConfiguration {

    public class ApiSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.antMatcher("/api/v1/users/**")
                .authorizeRequests().anyRequest()
                .hasRole("USER").and().httpBasic();
        }

    }

    @Configuration
    @Order(2)
    public class MVCSecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.csrf().and().authorizeRequests()
                    .antMatchers("/resources/**", "/users/register", "/users/signup", "/users/confirm",
                            "/users/user-action", "/users/reset-password", "/confirm", "/webjars/**").permitAll()
            .antMatchers("/users/**").hasRole("USER")
            .and()
            .formLogin().usernameParameter("username").passwordParameter("password");
        }
    }

}

查看关于Spring Security的文档以及示例代码此处。

英文:

I have put your code to work with this configuration bellow:

@EnableWebSecurity
public class SecurityConfiguration {
public class ApiSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher(&quot;/api/v1/users/**&quot;)
.authorizeRequests().anyRequest()
.hasRole(&quot;USER&quot;).and().httpBasic();
}
}
@Configuration
@Order(2)
public class MVCSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().and().authorizeRequests()
.antMatchers(&quot;/resources/**&quot;, &quot;/users/register&quot;, &quot;/users/signup&quot;, &quot;/users/confirm&quot;,
&quot;/users/user-action&quot;, &quot;/users/reset-password&quot;, &quot;/confirm&quot;, &quot;/webjars/**&quot;).permitAll()
.antMatchers(&quot;/users/**&quot;).hasRole(&quot;USER&quot;)
.and()
.formLogin().usernameParameter(&quot;username&quot;).passwordParameter(&quot;password&quot;);
}
}
}

View docs for Spring Security and sample code here.

通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库，让每个人都能够通过互相帮助和分享经验来进步。

春季安全配置未生效

问题

答案1

Java正则表达式匹配精确的社会安全号码模式

如何减少这个Java方法的圈复杂度

使用 cast 在 JPQL 的 order by 子句中。

如何根据列表中的属性对对象列表进行排序

What's the correct way to type hint an empty list as a literal in python?

如何在Highcharts Gantt中更改本地化的星期名称

如何在同一个流中使用多个过滤器和映射函数？

如何使用Map/Set来将代码优化到O(n)？

.NET MAUI Android在GitHub Actions上构建失败，错误代码为1。

如何在Playwright视觉比较中屏蔽多个定位器？

在C++中，可以使用可变模板参数来检索类型的内部类型。

selenium.common.exceptions.StaleElementReferenceException: Message: stale element reference: stale element not found

Creating and opening a URL to log in to Website via Basic Auth with Robot Framework/Selenium (Python)

AG Grid 在上下文菜单中以大文本形式打开

发表评论