春季安全配置未生效

huangapple
未分类评论63阅读模式
标题翻译

Spring Security Configuration is not applied

问题

我有以下配置,需要为 /api/v1/** 端点配置 HTTPBasic 认证,并且我想为 /users/ 的 URL 模式配置 form 认证。当我按照以下配置运行时,Web 请求的配置正常工作,但 API 的配置却没有生效。没有应用任何安全性。我哪里做错了?

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

    @Order(1)
    @Configuration
    public static class MVCSecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Bean
        public BCryptPasswordEncoder getBCryptPasswordEncoder() {
            return new BCryptPasswordEncoder();
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/users/**")
                .csrf()
                    .and()
                .authorizeRequests()
                .antMatchers(
                    "/resources/**", "/users/register", "/users/signup", "/users/confirm", 
                    "/users/user-action", "/users/reset-password", "/confirm", "/webjars/**"
                )
                .permitAll()
                .antMatchers("/users/**")
                .hasRole("USER")
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                    .loginPage("/login")
                    .usernameParameter("username")
                    .passwordParameter("password");

            http
                .authorizeRequests()
                .antMatchers("/api/v1/users/**")
                .hasRole("USER")
                .anyRequest()
                .authenticated()
                .and()
                .httpBasic();
        }
    }
}
英文翻译

I have the below configuration where i need to configure HTTPBasic authentication for /api/v1/** endpoints and i want to configure form authentication for /users/ url pattern. When i run with the below configuration, the configuration for web requests is working correctly but the configuration for API is not working. No security is being applied. Where am I going wrong?

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

    @Order(1)
    @Configuration
    public static class MVCSecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Bean
        public BCryptPasswordEncoder getBCryptPasswordEncoder() {
            return new BCryptPasswordEncoder();
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.
                    antMatcher("/users/**")
                    .csrf()
                        .and()
                    .authorizeRequests()
                    .antMatchers(
                            "/resources/**", "/users/register", "/users/signup", "/users/confirm", "/users/user-action", "/users/reset-password", "/confirm", "/webjars/**")
                    .permitAll()
                    .antMatchers("/users/**")
                    .hasRole("USER")
                    .anyRequest()
                    .authenticated()
                    .and()
                    .formLogin().loginPage("/login").usernameParameter("username").passwordParameter("password");

            http
                    .authorizeRequests()
                    .antMatchers("/api/v1/users/**")
                    .hasRole("USER")
                    .anyRequest()
                    .authenticated()
                    .and()
                    .httpBasic();
        }
    }

答案1

得分: 3

我已经将您的代码与下面的配置一起使用:

@EnableWebSecurity
public class SecurityConfiguration {

    public class ApiSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.antMatcher("/api/v1/users/**")
                .authorizeRequests().anyRequest()
                .hasRole("USER").and().httpBasic();
        }

    }

    @Configuration
    @Order(2)
    public class MVCSecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.csrf().and().authorizeRequests()
                    .antMatchers("/resources/**", "/users/register", "/users/signup", "/users/confirm",
                            "/users/user-action", "/users/reset-password", "/confirm", "/webjars/**").permitAll()
            .antMatchers("/users/**").hasRole("USER")
            .and()
            .formLogin().usernameParameter("username").passwordParameter("password");
        }
    }

}

查看关于Spring Security的文档以及示例代码此处

英文翻译

I have put your code to work with this configuration bellow:

@EnableWebSecurity
public class SecurityConfiguration {

public class ApiSecurityConfig extends WebSecurityConfigurerAdapter {
	
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.antMatcher("/api/v1/users/**")
           .authorizeRequests().anyRequest()
           .hasRole("USER").and().httpBasic();
	}

}

@Configuration
@Order(2)
public class MVCSecurityConfiguration extends WebSecurityConfigurerAdapter {

	@Override
	protected void configure(HttpSecurity http) throws Exception {

		http.csrf().and().authorizeRequests()
				.antMatchers("/resources/**", "/users/register", "/users/signup", "/users/confirm",
						"/users/user-action", "/users/reset-password", "/confirm", "/webjars/**").permitAll()
		.antMatchers("/users/**").hasRole("USER")
        .and()
        .formLogin().usernameParameter("username").passwordParameter("password");
	}
}

}

View docs for Spring Security and sample code here.

huangapple
  • 本文由 发表于 2020年5月30日 20:37:11
  • 转载请务必保留本文链接:https://java.coder-hub.com/62102534.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定