【发布时间】:2018-11-25 19:15:59
【问题描述】:
我的应用程序对 spring-data-rest 访问使用基本身份验证(“/api/**”下的所有内容)和使用面向客户端 API 的 UserDetailsService 的 JWT 身份验证(本示例中的“/component”下的所有内容)。在升级到 Spring Boot 2 之前,我的一切工作如下:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
private UserDetailsService userDetailsService;
private BCryptPasswordEncoder passwordEncoder;
public SecurityConfig( UserDetailsService userDetailsService, BCryptPasswordEncoder passwordEncoder )
{
this.userDetailsService = userDetailsService;
this.passwordEncoder = passwordEncoder;
}
@Override
public void configure( AuthenticationManagerBuilder authenticationManagerBuilder ) throws Exception
{
authenticationManagerBuilder
.userDetailsService( userDetailsService ).passwordEncoder( passwordEncoder )
.and()
.inMemoryAuthentication()
.withUser( "rest" ).password( "something" ).authorities( "REST" ).roles( "REST" );
}
@Override
protected void configure( HttpSecurity http ) throws Exception
{
http
.cors()
.and()
.csrf().disable()
.authorizeRequests()
.antMatchers( HttpMethod.POST, SecurityProperties.SIGN_UP_URL, SecurityProperties.LOGIN_URL ).permitAll()
.antMatchers( HttpMethod.GET, "/component1/**", "/component2/**", "/component3/**", "/component4/**" ).authenticated()
.antMatchers( HttpMethod.POST, "/component1/**", "/component2/**", "/component3/**", "/component4/**" ).authenticated()
.antMatchers( HttpMethod.GET, "/api/**" ).hasRole( "REST" )
.antMatchers( HttpMethod.OPTIONS, "/api/**" ).hasRole( "REST" )
.antMatchers( HttpMethod.PUT, "/api/**" ).hasRole( "REST" )
.antMatchers( HttpMethod.PATCH, "/api/**" ).hasRole( "REST" )
.antMatchers( HttpMethod.DELETE, "/api/**" ).hasRole( "REST" )
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.addFilter( new JWTAuthenticationFilter( authenticationManager() ) )
.addFilter( new JWTAuthorizationFilter( authenticationManager() ) )
.addFilter( new BasicAuthenticationFilter( authenticationManager() ) );
}
}
CORS 有一个单独的配置,我现在不关心它,因为它以前工作正常,现在不是任何问题的根源。
因此,随着升级到 Spring Boot Security 2,我尝试将每种安全类型的所有内容放在 2 个不同的 WebSecurityConfigurerAdapter 中,这将使其中一个工作,无论哪个具有较低的 @Order(1) 编号。我在某种程度上遵循了这里的示例:https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-Security-2.0
我想知道我现在是否应该使用 AuthenticationManagerBuilder 摆脱这个配置覆盖?还是将它们合并到一个文件中?我不知道该怎么做,有没有人有这方面的经验?
【问题讨论】:
标签: spring spring-boot spring-security