- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
我们的 Spring Security 配置文件变得越来越大,我们希望将其分成更小的部分。现在我们有以下内容:
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http.securityMatcher(ServerWebExchangeMatchers.pathMatchers("/api/**"))
.authenticationManager(this.authenticationManager);
http.authorizeExchange()
.pathMatchers(HttpMethod.GET, "/api/serviceA/**")
.hasAuthority("PROP_A");
http.authorizeExchange()
.pathMatchers(HttpMethod.GET, "/api/serviceB/**")
.hasAuthority("PROP_B");
http.authorizeExchange().pathMatchers(HttpMethod.POST, "/api/login", "/api/logout", "/api/forgotPassword", "/api/confirmForgotPassword").permitAll();
http.csrf()
.disable()
.formLogin()
.authenticationEntryPoint(new HttpStatusServerEntryPoint(HttpStatus.UNAUTHORIZED))
.requiresAuthenticationMatcher(
ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, "/api/login"))
.authenticationFailureHandler(CustomSpringSecurity::onAuthenticationFailure)
.authenticationSuccessHandler(CustomSpringSecurity::onAuthenticationSuccess)
.and()
.logout()
.logoutUrl("/api/logout")
.logoutSuccessHandler(new CustomLogoutSuccessHandler(HttpStatus.OK));
final SecurityWebFilterChain build = http.build();
build
.getWebFilters()
.collectList()
.subscribe(
webFilters -> {
for (WebFilter filter : webFilters) {
if (filter instanceof AuthenticationWebFilter) {
AuthenticationWebFilter awf = (AuthenticationWebFilter) filter;
awf.setServerAuthenticationConverter(CustomSpringSecurity::convert);
}
}
});
return build;
}
我们想使用 securityMatcher
将 /api/seviceA/**
和 /api/seviceB/**
分解到那里自己的SecurityWebFilterChain @Beans
。
但是我们遇到的问题是配置中存在额外的配置。我们希望最终结果如下所示。
public SecurityWebFilterChain securityWebFilterChainForServiceA(ServerHttpSecurity http) {
http.securityMatcher(ServerWebExchangeMatchers.pathMatchers("/api/serviceA/**"));
http.authorizeExchange()
.pathMatchers(HttpMethod.GET, "/api/serviceA/**")
.hasAuthority("PROP_A");
return http.build();
}
我们希望端点的所有其他配置都是隐式的。
如何在 Spring Security 中实现这样的模块化?
最佳答案
您可以像这样指定一个接口(interface):
public interface HttpSecurityConfig {
Consumer<ServerHttpSecurity> configuration();
}
然后创建一个类,为每个端点实现此功能,您可以将其作为 bean 注入(inject):
@Component
public class ServiceASecurityConfig implements HttpSecurityConfig {
@Override
public Consumer<ServerHttpSecurity> configuration() {
return (http) -> {
http.authorizeExchange()
.pathMatchers(HttpMethod.GET, "/api/serviceA/**")
.hasAuthority("PROP_A");
};
}
}
@Component
public class ServiceBSecurityConfig implements HttpSecurityConfig {
@Override
public Consumer<ServerHttpSecurity> configuration() {
return (http) -> {
http.authorizeExchange()
.pathMatchers(HttpMethod.GET, "/api/serviceB/**")
.hasAuthority("PROP_B");
};
}
}
最后修改您的 SecurityWebFilterChain
以便它注入(inject) HttpSecurityConfig
类型的所有 bean 并应用配置,如下所示:
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http, final List<HttpSecurityConfig> httpConfigurations) {
http.securityMatcher(ServerWebExchangeMatchers.pathMatchers("/api/**"))
.authenticationManager(this.authenticationManager);
// This line replaces the individual configurations in your original question
httpConfigurations.forEach(config -> config.configuration().accept(http));
http.authorizeExchange().pathMatchers(HttpMethod.POST, "/api/login", "/api/logout", "/api/forgotPassword", "/api/confirmForgotPassword").permitAll();
http.csrf()
.disable()
.formLogin()
.authenticationEntryPoint(new HttpStatusServerEntryPoint(HttpStatus.UNAUTHORIZED))
.requiresAuthenticationMatcher(
ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, "/api/login"))
.authenticationFailureHandler(CustomSpringSecurity::onAuthenticationFailure)
.authenticationSuccessHandler(CustomSpringSecurity::onAuthenticationSuccess)
.and()
.logout()
.logoutUrl("/api/logout")
.logoutSuccessHandler(new CustomLogoutSuccessHandler(HttpStatus.OK));
final SecurityWebFilterChain build = http.build();
build
.getWebFilters()
.collectList()
.subscribe(
webFilters -> {
for (WebFilter filter : webFilters) {
if (filter instanceof AuthenticationWebFilter) {
AuthenticationWebFilter awf = (AuthenticationWebFilter) filter;
awf.setServerAuthenticationConverter(CustomSpringSecurity::convert);
}
}
});
return build;
}
关于java - 模块化 Spring Security SecurityWebFilterChain,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56730583/
我刚刚开始学习 Spring 的新响应式(Reactive)编程模型,因此我尝试编写一个非常基本的 Web 服务。 这是我的应用程序配置: @SpringBootApplication @Enable
我们的 Spring Security 配置文件变得越来越大,我们希望将其分成更小的部分。现在我们有以下内容: public SecurityWebFilterChain securityWebFil
我在 Spring Boot Webflux 应用程序中使用 Spring security 主要在 HTTPS 上提供流量服务。港口。但是,作为操作要求,我需要在我的 Spring Boot 应用程
我的 spring webflux 应用程序中有几个不同的 API,需要对失败的身份验证做出不同的响应。我正在尝试为每个 API 设置不同的 ServerAuthenticationEntryPoin
我是一名优秀的程序员,十分优秀!