“Spring Security Configuration Kotlin DSL”

huangapple go评论94阅读模式
英文:

Spring Security Configuration Kotlin DSL

问题

以下是您要翻译的内容:

因此,我在我的配置适配器中有这段 Java 代码:

http.cors().and().csrf().disable()
    .authorizeRequests().antMatchers(HttpMethod.POST, Constants.CREATE_USER_URL).permitAll()
    .and().authorizeRequests().antMatchers(HttpMethod.GET, "/v2/api-docs", "/swagger-resources/**", "/swagger-ui/**", "/swagger-ui.html**", "/webjars/**", "favicon.ico").permitAll().anyRequest().authenticated()
    .and().addFilter(new JwtAuthenticationFilter(authenticationManager())).addFilter(new BasicJwtAuthenticationFilter(authenticationManager()))
    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

然后,我尝试使用新的 Kotlin DSL:

http {
  cors { disable() }
  csrf { disable() }
  authorizeRequests {
    authorize(AntPathRequestMatcher(createUserUrl, HttpMethod.POST.name), permitAll)
    authorize(AntPathRequestMatcher("favicon.ico", HttpMethod.GET.name), permitAll)
    authorize(AntPathRequestMatcher("/v2/api-docs", HttpMethod.GET.name), permitAll)
    authorize(AntPathRequestMatcher("/swagger-resources/**", HttpMethod.GET.name), permitAll)
    authorize(AntPathRequestMatcher("/swagger-ui/**", HttpMethod.GET.name), permitAll)
    authorize(AntPathRequestMatcher("/webjars/**", HttpMethod.GET.name), permitAll)
    authorize(anyRequest, authenticated)
  }
  addFilterAt(JwtAuthenticationFilter(authenticationManager()), AuthenticationFilter::class.java)
  addFilterAt(BasicJwtAuthenticationFilter(authenticationManager()), BasicAuthenticationFilter::class.java)
  sessionManagement { SessionCreationPolicy.STATELESS }
}

这个 Kotlin DSL 的功能与 Java 代码相同吗?Kotlin DSL 中没有 addFilter 吗?我能否减少冗余的 authorize(在 Java 代码中,它使用了可以接受多个模式的 antMatchers)以避免类似的代码(permitAll HTTP GET)?

英文:

So, I have this java code inside my configurer adapter:

http.cors().and().csrf().disable()
    .authorizeRequests().antMatchers(HttpMethod.POST, Constants.CREATE_USER_URL).permitAll()
    .and().authorizeRequests().antMatchers(HttpMethod.GET, "/v2/api-docs", "/swagger-resources/**", "/swagger-ui/**", "/swagger-ui.html**", "/webjars/**", "favicon.ico").permitAll().anyRequest().authenticated()
    .and().addFilter(new JwtAuthenticationFilter(authenticationManager())).addFilter(new BasicJwtAuthenticationFilter(authenticationManager()))
    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

And I try using the new Kotlin DSL:

http {
  cors { disable() }
  csrf { disable() }
  authorizeRequests {
    authorize(AntPathRequestMatcher(createUserUrl, HttpMethod.POST.name), permitAll)
    authorize(AntPathRequestMatcher("favicon.ico", HttpMethod.GET.name), permitAll)
    authorize(AntPathRequestMatcher("/v2/api-docs", HttpMethod.GET.name), permitAll)
    authorize(AntPathRequestMatcher("/swagger-resources/**", HttpMethod.GET.name), permitAll)
    authorize(AntPathRequestMatcher("/swagger-ui/**", HttpMethod.GET.name), permitAll)
    authorize(AntPathRequestMatcher("/webjars/**", HttpMethod.GET.name), permitAll)
    authorize(anyRequest, authenticated)
  }
  addFilterAt(JwtAuthenticationFilter(authenticationManager()), AuthenticationFilter::class.java)
  addFilterAt(BasicJwtAuthenticationFilter(authenticationManager()), BasicAuthenticationFilter::class.java)
  sessionManagement { SessionCreationPolicy.STATELESS }
}

Is this kotlin dsl have the same functionality with the java code? Is there no addFilter for kotlin dsl?

Could I reduce redundant authorize (on the Java Code, it used antMatchers which accept multiple patterns) that have similar code (permitAll HTTP GET)??

答案1

得分: 6

你的 Kotlin 配置与你分享的 Java 配置不相等。

首先是 CORS 配置:

http {
    cors { }
}

其次是会话管理配置:

http {
    sessionManagement {
        sessionCreationPolicy = SessionCreationPolicy.STATELESS
    }
}

关于 addFilter 方法,在 Javadoc 中指出:

> 添加的过滤器必须是安全框架内提供的过滤器之一的实例或扩展。

如果你的自定义过滤器 BasicJwtAuthenticationFilterBasicAuthenticationFilter 的实例,则 Kotlin 配置是正确的。

将所有这些内容结合起来,你将得到以下的 Kotlin 配置:

http {
    cors { }
    csrf { disable() }
    authorizeRequests {
        authorize(AntPathRequestMatcher(createUserUrl, HttpMethod.POST.name), permitAll)
        authorize(AntPathRequestMatcher("favicon.ico", HttpMethod.GET.name), permitAll)
        authorize(AntPathRequestMatcher("/v2/api-docs", HttpMethod.GET.name), permitAll)
        authorize(AntPathRequestMatcher("/swagger-resources/**", HttpMethod.GET.name), permitAll)
        authorize(AntPathRequestMatcher("/swagger-ui/**", HttpMethod.GET.name), permitAll)
        authorize(AntPathRequestMatcher("/webjars/**", HttpMethod.GET.name), permitAll)
        authorize(anyRequest, authenticated)
    }
    addFilterAt(JwtAuthenticationFilter(authenticationManager()), AuthenticationFilter::class.java)
    addFilterAt(BasicJwtAuthenticationFilter(authenticationManager()), BasicAuthenticationFilter::class.java)
    sessionManagement {
        sessionCreationPolicy = SessionCreationPolicy.STATELESS
    }
}
英文:

Your Kotlin configuration is not equivalent to the Java configuration that you shared.

First, the CORS configuration

http
    .cors()
    .and()
    // ...

Below is the equivalent Kotlin configuration, since you are enabling CORS rather than disabling it.

http {
    cors { }
}

Second, the session management configuration

http
    // ...
    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

Below is the equivalent Kotlin configuration, where you want to assign the SessionCreationPolicy.

http {
    sessionManagement {
        sessionCreationPolicy = SessionCreationPolicy.STATELESS
    }
}

Regarding the addFilter method, in the Javadoc it states
> Adds Filter that must be an instance of or extend one of the Filters provided within the Security framework.

If your custom filter BasicJwtAuthenticationFilter is an instance of BasicAuthenticationFilter, then the Kotlin configuration is correct.

Adding all of this together, you get the following Kotlin configuration

http {
    cors { }
    csrf { disable() }
    authorizeRequests {
        authorize(AntPathRequestMatcher(createUserUrl, HttpMethod.POST.name), permitAll)
        authorize(AntPathRequestMatcher("favicon.ico", HttpMethod.GET.name), permitAll)
        authorize(AntPathRequestMatcher("/v2/api-docs", HttpMethod.GET.name), permitAll)
        authorize(AntPathRequestMatcher("/swagger-resources/**", HttpMethod.GET.name), permitAll)
        authorize(AntPathRequestMatcher("/swagger-ui/**", HttpMethod.GET.name), permitAll)
        authorize(AntPathRequestMatcher("/webjars/**", HttpMethod.GET.name), permitAll)
        authorize(anyRequest, authenticated)
    }
    addFilterAt(JwtAuthenticationFilter(authenticationManager()), AuthenticationFilter::class.java)
    addFilterAt(BasicJwtAuthenticationFilter(authenticationManager()), BasicAuthenticationFilter::class.java)
    sessionManagement {
        sessionCreationPolicy = SessionCreationPolicy.STATELESS
    }
}

huangapple
  • 本文由 发表于 2020年9月4日 12:13:01
  • 转载请务必保留本文链接:https://go.coder-hub.com/63734740.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定