spring - 如何配置SecurityWebFilterChain 实现多种授权机制?
问题描述
我希望通过授权过程应该允许少数提到的端点,并且对于其余端点应该进行 x509 检查。
public SecurityWebFilterChain sslOauth2SpringSecurityFilterChain(
ServerHttpSecurity http){
http
.securityMatcher(ServerWebExchangeMatchers.matchers(this::allowInsecured))
.x509(x509 -> x509
.principalExtractor(principalExtractor)
.authenticationManager(getReactiveAuthenticationManager(sslConfigProperties))
)
.csrf(ServerHttpSecurity.CsrfSpec::disable)
// no anonymous users
.anonymous(ServerHttpSecurity.AnonymousSpec::disable)
// no basic auth
.httpBasic(ServerHttpSecurity.HttpBasicSpec::disable)
// no form login
.formLogin(ServerHttpSecurity.FormLoginSpec::disable)
.authorizeExchange().anyExchange().authenticated();
return http.build();
}
Mono<ServerWebExchangeMatcher.MatchResult> allowInsecured(final ServerWebExchange exchange) {
// Deny all requests except few known ones
URI uri = exchange.getRequest().getURI();
boolean valid = "http".equalsIgnoreCase(uri.getScheme())
&& strictHostnameConfigProperties.getExcludedEndpoints()
.contains(uri.getPath());
return valid ? ServerWebExchangeMatcher.MatchResult.match()
: ServerWebExchangeMatcher.MatchResult.notMatch();
}
如何实现一种机制,首先如果端点在安全匹配器中匹配它应该通过,如果不是那么它通过其他授权机制?
基本上是授权条件的 OR 机制