gpt4 book ai didi

java - 使用 Java Config 在多个 HttpSecurity 对象中自定义身份验证过滤器

转载 作者:搜寻专家 更新时间:2023-11-01 03:34:01 28 4
gpt4 key购买 nike

我想使用 spring boot 和 spring java 配置有两个不同的带有自定义身份验证过滤器的 http web 配置。我遵循了可以在这里找到的示例应用程序:https://github.com/spring-projects/spring-security-javaconfig/blob/master/samples-web.md#sample-multi-http-web-configuration .我的理解是,这最终会在每个 Web 配置的单独 spring 过滤器链中结束。但是尽管 Web 配置 url 模式与请求不匹配,但两个过滤器都被调用。例如,请求 http://localhost:8080/api/dosomething将调用两个过滤器,而不仅仅是 CustomApiAuthenticationFilter。当然,可以在 doFilterInternal 中检查请求 url,如果不匹配则忽略请求,但我认为这应该通过尊重相应 Web 配置的 url 模式自动完成。此外,我的 RestController 没有分别被调用,Postman 只收到状态代码 200 OK,没有响应正文。

两个问题:1. 这种行为是设计使然还是配置错误?2. 为什么我的 RestController 没有被调用?

@EnableWebSecurity
public class SecurityConfiguration {

@Configuration
@Order(1)
public static class ApiConfigurationAdapter extends WebSecurityConfigurerAdapter {

@Bean
public GenericFilterBean apiAuthenticationFilter() {
return new CustomApiAuthenticationFilter();
}

@Override
protected void configure(HttpSecurity http) throws Exception {

http.antMatcher("/api/**").addFilterAfter(apiAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests().antMatchers("/api/**").authenticated();
}
}

@Configuration
@Order(2)
public static class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Bean
public GenericFilterBean webAuthenticationFilter() {
return new CustomWebAuthenticationFilter();
}

@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/").addFilterAfter(webAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.authorizeRequests().antMatchers("/").authenticated();
}
}
}

public class CustomApiAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
Authentication auth = new UsernamePasswordAuthenticationToken("sub", "password", ImmutableList.of(new SimpleGrantedAuthority("API")));
SecurityContextHolder.getContext().setAuthentication(auth);
}
}

public class CustomWebAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
Authentication auth = new UsernamePasswordAuthenticationToken("sub", "password", ImmutableList.of(new SimpleGrantedAuthority("USER")));
SecurityContextHolder.getContext().setAuthentication(auth);
}
}

@RestController
public class ApiController {
@RequestMapping(value = "/api/v1/dosomething", method = RequestMethod.GET)
public String getSomething() {
return "something";
}
}

最佳答案

感谢 M. Deinum 给了我正确的答案。以下现在按预期工作,但我仍然不确定这是否是一种合法的方法。

@EnableWebSecurity
public class SecurityConfiguration {

@Configuration
@Order(1)
public static class ApiConfigurationAdapter extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {

http.antMatcher("/api/**")
.addFilterAfter(new CustomApiAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests().anyRequest().hasRole("API");
}
}

@Configuration
@Order(2)
public static class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/")
.addFilterAfter(new CustomWebAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.authorizeRequests().anyRequest().hasRole("USER");
}
}
}

public class CustomApiAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
Authentication auth = new UsernamePasswordAuthenticationToken("sub", "password", ImmutableList.of(new SimpleGrantedAuthority("ROLE_API")));
SecurityContextHolder.getContext().setAuthentication(auth);
filterChain.doFilter(request, response);
}
}

public class CustomWebAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
Authentication auth = new UsernamePasswordAuthenticationToken("sub", "password", ImmutableList.of(new SimpleGrantedAuthority("ROLE_USER")));
SecurityContextHolder.getContext().setAuthentication(auth);
filterChain.doFilter(request, response);
}
}

关于java - 使用 Java Config 在多个 HttpSecurity 对象中自定义身份验证过滤器,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/37304211/

28 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com