Java HttpSecurity、WebSecurity 和 AuthenticationManagerBuilder
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/22998731/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
HttpSecurity, WebSecurity and AuthenticationManagerBuilder
提问by user3488241
Could anyone explain when to override configure(HttpSecurity), configure(WebSecurity)and configure(AuthenticationManagerBuilder)?
谁能解释什么时候覆盖configure(HttpSecurity),configure(WebSecurity)和configure(AuthenticationManagerBuilder)?
回答by Nick Vasic
configure(AuthenticationManagerBuilder)is used to establish an authentication mechanism by allowing AuthenticationProviders to be added easily: e.g. The following defines the in-memory authentication with the in-built 'user' and 'admin' logins.
configure(AuthenticationManagerBuilder)用于通过允许轻松添加 AuthenticationProviders 来建立身份验证机制: 例如,以下定义了内置“用户”和“管理员”登录名的内存中身份验证。
public void configure(AuthenticationManagerBuilder auth) {
auth
.inMemoryAuthentication()
.withUser("user")
.password("password")
.roles("USER")
.and()
.withUser("admin")
.password("password")
.roles("ADMIN","USER");
}
configure(HttpSecurity)allows configuration of web based security at a resource level, based on a selection match - e.g. The example below restricts the URLs that start with /admin/ to users that have ADMIN role, and declares that any other URLs need to be successfully authenticated.
configure(HttpSecurity)允许基于选择匹配在资源级别配置基于 Web 的安全性 - 例如,下面的示例将以 /admin/ 开头的 URL 限制为具有 ADMIN 角色的用户,并声明任何其他 URL 需要为认证成功。
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
}
configure(WebSecurity)is used for configuration settings that impact global security (ignore resources, set debug mode, reject requests by implementing a custom firewall definition). For example, the following method would cause any request that starts with /resources/ to be ignored for authentication purposes.
configure(WebSecurity)用于影响全局安全性的配置设置(忽略资源、设置调试模式、通过实现自定义防火墙定义拒绝请求)。例如,以下方法将导致任何以 /resources/ 开头的请求被忽略以进行身份验证。
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**");
}
You can refer to the following link for more information Spring Security Java Config Preview: Web Security
更多信息可以参考以下链接Spring Security Java Config Preview: Web Security
回答by Patel Romil
General use of WebSecurity ignoring()method omits Spring Securityand none of Spring Security's features will be available.
WebSecurity is based above HttpSecurity.
WebSecurityignoring()方法的一般使用会忽略 Spring Security,并且 Spring Security 的所有功能都将不可用。WebSecurity 基于 HttpSecurity。
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**")
.antMatchers("/publics/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/publics/**").hasRole("USER") // no effect
.anyRequest().authenticated();
}
WebSecurity in the above example lets Spring ignore /resources/**and /publics/**. Therefore the .antMatchers("/publics/**").hasRole("USER")in HttpSecurity is unconsidered.
上面示例中的 WebSecurity 让 Spring 忽略/resources/**和/publics/**。因此.antMatchers("/publics/**").hasRole("USER")在 HttpSecurity 中是不考虑的。
This will omit the request pattern from the security filter chain entirely. Note that anything matching this path will then have no authentication or authorization services applied and will be freely accessible.
这将完全从安全过滤器链中省略请求模式。请注意,与此路径匹配的任何内容都将不会应用任何身份验证或授权服务,并且可以自由访问。
configure(HttpSecurity)allows configuration of web-based security at a resource level, based on a selection match - e.g. The example below restricts the URLs that start with /admin/to users that have ADMIN role, and declares that any other URLs need to be successfully authenticated.
configure(HttpSecurity)允许基于选择匹配在资源级别配置基于 Web 的安全性- 例如,下面的示例将以 开头的 URL 限制为/admin/具有ADMIN 角色的用户,并声明任何其他 URL 需要成功验证。
configure(WebSecurity)is used for configuration settings that impact global security(ignore resources, set debug mode, reject requests by implementing a custom firewall definition). For example, the following method would cause any request that starts with /resources/to be ignored for authenticationpurposes.
configure(WebSecurity)用于影响全局安全性的配置设置(忽略资源、设置调试模式、通过实现自定义防火墙定义拒绝请求)。例如,以下方法将导致任何以 开头的请求/resources/都被忽略以进行身份验证。
AuthenticationManagerBuilder
extends AbstractConfiguredSecurityBuilder<AuthenticationManager,AuthenticationManagerBuilder>
implements ProviderManagerBuilder<AuthenticationManagerBuilder>
SecurityBuilder used to create an AuthenticationManager. Allows for easily building in memory authentication, LDAP authentication, JDBC based authentication, adding UserDetailsService, and adding AuthenticationProvider's.
SecurityBuilder 用于创建一个AuthenticationManager. 允许轻松构建内存身份验证、LDAP 身份验证、基于 JDBC 的身份验证、添加 UserDetailsService 和添加 AuthenticationProvider 的.
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
auth.userDetailsService(customUserDetailService).passwordEncoder(new BCryptPasswordEncoder());
}
