具有多个身份验证的 Spring Security

Question

嗨，我如何将这个命令用于我的控制器和 restController .... like -> order 1 for html view 和 order 2 for rest api 我想在 spring 中使用 rest 和 mvc 将它用于 webapp

具有多个 HTTP 元素的多个入口点

我认为我应该在我的控制器类中使用 order！

@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    UserDetailsService userDetailsService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService);
    }

    @Configuration
    @Order(1)
    public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                    .antMatchers("/").permitAll()
                    .antMatchers("/user/**").hasRole("EMPLOYEE")
                    .anyRequest().authenticated()
                    .and()
                    .formLogin()
                    .loginPage("/LoginPage")
                    .loginProcessingUrl("/authenticateTheUser")
                    .successHandler(customAuthenticationSuccessHandler)
                    .permitAll()
                    .and()
                    .logout().permitAll() `enter code here`
                    .and()
                    .exceptionHandling().accessDeniedPage("/access-denied");
        }
    }

    @Configuration
    @Order(2)
    public class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.authenticationProvider(m.authenticationProvider());
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.authorizeRequests()
                    .antMatchers(HttpMethod.GET, "/api/**").hasRole("EMPLOYEE")
                    .and()
                    .httpBasic()
                    .and()
                    .csrf().disable()
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        }

    }

}

Answer 1

我正在解决这个问题，并找到在单个中使用 spring rest api 和 spring mvc 的方法 项目这很容易在一个没有安全性的项目中使用它们 对于 spring rest security 和 spring mvc security 以及 login page 和 rest basic auth registery 在我们应该使用的项目中httpBasic()

对于 url 使用

http://username:password@localhost:8080/api/members/

@Configuration
@EnableWebSecurity
public class MultipleEntryPointsSecurityConfig extends WebSecurityConfigurerAdapter {

   @Autowired
   private UserService userService;

   @Autowired
   private CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler;

   @Override
   protected void configure(AuthenticationManagerBuilder auth) throws Exception {
       auth.authenticationProvider(authenticationProvider());
   }

// this is filter for mappings for api and mvc mappings
// http://username:password@localhost:8080/api/members/
   @Override
   protected void configure(HttpSecurity http) throws Exception {

       http.authorizeRequests()
               .antMatchers("/").hasRole("EMPLOYEE")
               .antMatchers("/leaders/**").hasRole("MANAGER")
               .antMatchers("/systems/**").hasRole("ADMIN")
               .antMatchers(HttpMethod.GET, "/api/**").hasRole("EMPLOYEE")
               .and()

               .httpBasic()
               .and()

               .formLogin()
               .loginPage("/showMyLoginPage")
               .loginProcessingUrl("/authenticateTheUser")
               .successHandler(customAuthenticationSuccessHandler)
               .permitAll()
               .and()
               .logout().permitAll()
               .and()
               .exceptionHandling().accessDeniedPage("/access-denied");

   }

   @Bean
   public BCryptPasswordEncoder passwordEncoder() {
       return new BCryptPasswordEncoder();
   }

   @Bean
   public DaoAuthenticationProvider authenticationProvider() {
       DaoAuthenticationProvider auth = new DaoAuthenticationProvider();
       auth.setUserDetailsService(userService); //set the custom user details service
       auth.setPasswordEncoder(passwordEncoder()); //set the password encoder - bcrypt
       return auth;
   }

}