个人中心
gpt4 book ai didi

java - Spring Security仅适用于最高优先级顺序

转载 作者:行者123 更新时间:2023-11-30 05:38:42 25 4
gpt4 key购买 nike

我正在尝试将 Spring MVC 集成到现有的 Spring Rest 项目中。 Spring 休息的安全保障工作正常。当我尝试以最低优先级顺序实现 spring mvc 的安全性时,它仅适用于其余 api。如果我为 spring mvc 设置了高优先级顺序,那么它将适用于 spring mvc,但对于其余 api,它将重定向到登录页面。

这是我的代码片段

//base class for spring security config
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig

我有两个静态类

对于 Spring MVC

@Configuration
@EnableWebSecurity
@Order(1)
public static class SecurityConfig extends WebSecurityConfigurerAdapter

对于休息API

@Configuration
@EnableWebSecurity
@Order(2)
public static class ApiSecurity extends WebSecurityConfigurerAdapter

对于spring mvc配置

@Override
protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/admin/**").hasRole("ADMIN")
                .antMatchers("/resources/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginPage("/admin/login")
                .defaultSuccessUrl("/admin/home",true)

                .permitAll()
                .and()
                .logout()
                .permitAll();
}

用于 Rest api 配置

@Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .cors()
                .and()
                // we don't need CSRF because our token is invulnerable
                .csrf().disable()

                .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()

                // don't create session
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()

                .authorizeRequests()

                // Un-secure H2 Database
                .antMatchers("/h2-console/**/**").permitAll()

                .antMatchers("/auth/**").permitAll()
                .antMatchers("/refresh/**").permitAll()

                .antMatchers("/facebook/**").permitAll()
                .antMatchers("/admin/**").permitAll()
                .antMatchers("/v2/api-docs",
                        "/configuration/ui",
                        "/swagger-resources",
                        "/configuration/security",
                        "/swagger-ui.html").permitAll()
                .anyRequest().authenticated();

        // Custom JWT based security filter
        JwtAuthorizationTokenFilter authenticationTokenFilter = new JwtAuthorizationTokenFilter(userDetailsService(), jwtTokenUtil, tokenHeader);
        httpSecurity
                .addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);

        // disable page caching
        httpSecurity
                .headers()
                .frameOptions().sameOrigin()  // required to set for H2 else H2 Console will be blank.
                .cacheControl();
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        // AuthenticationTokenFilter will ignore the below paths
        web
                .ignoring()
                .antMatchers(
                        HttpMethod.POST,
                        authenticationPath)
                .antMatchers(HttpMethod.POST,
                        refresh)
                // allow anonymous resource requests
                .and()
                .ignoring()
                .antMatchers(
                        HttpMethod.GET,
                        "/",
                        "/*.html",
                        "/*.js",
                        "/*.*.*",
                        "/**/**/*.*",
                        "/favicon.ico",
                        "/v2/api-docs",
                        "/configuration/ui",
                        "/swagger-resources",
                        "/configuration/security",
                        "/swagger-ui.html",
                        "/resources/**",
                        "/static/**"
                )

                // Un-secure H2 Database (for testing purposes, H2 console shouldn't be unprotected in production)
                .and()
                .ignoring()
                .antMatchers("/h2-console/**/**");
    }

    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
        configuration.setAllowedHeaders(Arrays.asList("authorization", "content-type", "x-auth-token"));
        configuration.setExposedHeaders(Arrays.asList("x-auth-token"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
}

最佳答案

每个 WebSecurityConfigurerAdapter 基本上配置一个 SecurityFilterChain,默认情况下将处理所有 HTTP 请求。

当有多个 SecurityFilterChain 时,会按照优先级顺序逐一检查每个 SecurityFilterChain ,并使用第一个能够处理请求的。

由于两个 SecurityFilterChain 均配置为处理所有 HTTP 请求,因此始终使用优先级较高的 SecurityFilterChain

因此,只需更改 API 的 SecurityFilterChain 即可获得更高的优先级,并将其配置为处理以 API 端点开头的 URL:

@Configuration
@EnableWebSecurity
@Order(Ordered.HIGHEST_PRECEDENCE)
public static class ApiSecurity extends WebSecurityConfigurerAdapter{

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.antMatcher("/api/**");
            //continue configure http ......
        }

}

关于java - Spring Security仅适用于最高优先级顺序,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56137201/

25 4 0
文章推荐: java - 在 Kotlin 中用成员表达 Java 注解类
文章推荐: c++ - c 风格的字符串使用单引号还是双引号?
文章推荐: c++ - 使用笛卡尔坐标和欧拉角控制 OpenSceneGraph 相机
文章推荐: javascript - 模块模式 OO JS 中的对象或函数?
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com