java - Java Spring 启动多个安全适配器
问题描述
我有以下安全适配器:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Configuration
@Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Autowired CommonApplicationProperties commonProperties;
@Autowired DashboardApplicationProperties applicationProperties;
@Autowired
private CustomAuthenticationProvider authProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(
"/app/**",
"/assets/**",
"/webjars/**"
);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.httpBasic().disable()
.formLogin().disable()
.logout()
.logoutSuccessHandler((new CustomLogoutSuccessHandler(applicationProperties)))
.deleteCookies("JSESSIONID")
.and()
.addFilter(new TokenBasedAuthenticationFilter(authenticationManager(), applicationProperties, commonProperties.getAuthTokenSecret()))
.addFilter(new TokenBasedAuthorizationFilter(authenticationManager(), applicationProperties, commonProperties.getAuthTokenSecret()));
http.headers()
.contentSecurityPolicy("default-src 'none'; script-src 'self' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:;");
http.authorizeRequests()
.antMatchers("/*").permitAll()
.anyRequest().authenticated();
}
@Order(2)
@Configuration
public static class DashboardSecurityAdapter extends WebSecurityConfigurerAdapter {
@Autowired DashboardApplicationProperties applicationProperties;
@Autowired CommonApplicationProperties commonProperties;
@Override
protected void configure(HttpSecurity http) throws Exception {
System.out.println("Dashboard Login Enable");
http.csrf().disable()
.requestMatchers()
.antMatchers("/assets/**", "/*")
.and()
.httpBasic().disable()
.formLogin().disable();
http.headers()
.contentSecurityPolicy("default-src 'none'; script-src 'self' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:;");
}
}
第一个正在工作。第二个应该做同样的伎俩,只是没有这两种addFilter
方法。不幸的是,我在DashboardSecurityAdapter
.
知道有什么问题吗?
解决方案
我不确定您是否可以拥有多个这样的安全配置。您可以做的是在单个安全配置中链接多个 HTTP 配置。看起来您正在尝试做的是保护您的应用程序,同时允许任何人访问静态资产文件。我会做这样的事情:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests().antMatchers("/assets/**").permitAll()
.and()
.httpBasic().disable()
.formLogin().disable()
.logout()
.logoutSuccessHandler((new CustomLogoutSuccessHandler(applicationProperties)))
.deleteCookies("JSESSIONID")
.and()
.addFilter(new TokenBasedAuthenticationFilter(authenticationManager(), applicationProperties, commonProperties.getAuthTokenSecret()))
.addFilter(new TokenBasedAuthorizationFilter(authenticationManager(), applicationProperties, commonProperties.getAuthTokenSecret()));
}
推荐阅读
- c# - 如何让敌人以弧形跟随玩家
- sql - 在 SQL Server 中查找匹配记录
- c# - 如何修复“输入发射器不向另一个组件发送数据”
- python - 为什么我在将 Netcdf 数据转换为数组后得到所有 Nan
- c# - 在字典变量上使用循环
- angular - Angular 6页面无需执行任何路由器方法即可重定向到主页
- python - 如果我不知道主题的数量,我可以使用 LDA 主题建模吗
- spring-mvc - 未经授权:令牌丢失
- java - 为什么 JSON 的值在 Helper 类中将“:”更改为“=”
- handlebars.js - 避免将变量应用于嵌套的 Handlebars 部分块