当前位置:theitroad>Spring 安全 Java 配置

Spring 安全 Java 配置

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/20131143/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-08-12 23:22:47  来源:igfitidea点击:

Spring Security Java Config

javaspring-securityoauth-2.0spring-java-config

提问by Eugen Halca

So recently I migrated the Spring configuration from XML to Java config. It's a Spring OAuth 2 Server, and some endpoints are secured with clients authentication, and some endpoints (confirm_access) are secured with user authentication, which is delegated to login application with a redirect made from a filter ("authenticationFilter"). But I'm not able to do the same with Spring Security Java config :

所以最近我将 Spring 配置从 XML 迁移到 Java 配置。它是一个 Spring OAuth 2 服务器,一些端点通过客户端身份验证进行保护,而一些端点(confirm_access)通过用户身份验证进行保护,用户身份验证委托给登录应用程序,并通过过滤器(“authenticationFilter”)进行重定向。但是我无法对 Spring Security Java config 做同样的事情:

Here my working security XML configuration :

这是我的工作安全 XML 配置:

<sec:http pattern="/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
        entry-point-ref="oauthAuthenticationEntryPoint">
        <sec:intercept-url pattern="/token" access="IS_AUTHENTICATED_FULLY" />
        <sec:anonymous enabled="false" />
        <sec:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
        <!-- include this only if you need to authenticate clients via request parameters -->
        <sec:custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
        <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
    </sec:http>

    <sec:http pattern="/css/**" security="none" />
    <sec:http pattern="/js/**" security="none" />

<sec:http access-denied-page="/errors/access-denied.html" disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint">
        <sec:intercept-url pattern="/authorize" access="ROLE_USER" />
        <sec:intercept-url pattern="confirm_access" access="ROLE_USER" />
        <sec:intercept-url pattern="/device/authorize" access="ROLE_USER" />

        <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

        <sec:custom-filter ref="authenticationFilter" before="ANONYMOUS_FILTER" />
        <sec:anonymous />
    </sec:http>

<sec:authentication-manager id="clientAuthenticationManager">
        <sec:authentication-provider user-service-ref="clientDetailsUserService" />
    </sec:authentication-manager>

    <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider ref="authenticationProvider" />
    </sec:authentication-manager>

<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
        <sec:expression-handler ref="oauthExpressionHandler" />
    </sec:global-method-security>

    <oauth:expression-handler id="oauthExpressionHandler" />

    <oauth:web-expression-handler id="oauthWebExpressionHandler" />


Here is my Java config attempt :


这是我的 Java 配置尝试:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
@Order(1)
@Import({WebSecurityConfig.TokenEndpointSecurityConfigurationAdapter.class,
        WebSecurityConfig.ResourceSecurityConfigurationAdapter.class,
        WebSecurityConfig.AnonymousSecurityConfigurationAdapter.class})
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    ClientDetailsUserDetailsService clientDetailsUserService;

    @Bean(name = "clientAuthenticationManager")
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void registerAuthentication(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(clientDetailsUserService);
    }

    @Configuration
    @Order(2)                                                        
    public static class TokenEndpointSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        ClientDetailsUserDetailsService clientDetailsUserService;

        @Autowired
        OAuth2AuthenticationEntryPoint oauthAuthenticationEntryPoint;

        @Autowired
        ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter;

        @Autowired
        OAuth2AccessDeniedHandler oauthAccessDeniedHandler;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .userDetailsService(clientDetailsUserService)
                .anonymous().disable()
                .authorizeUrls()
                .antMatchers("/token")
                .fullyAuthenticated()
            .and()
                .httpBasic()
                .authenticationEntryPoint(oauthAuthenticationEntryPoint)
            .and()
                .addFilterBefore(clientCredentialsTokenEndpointFilter, BasicAuthenticationFilter.class)
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.stateless)
            .and()
                .exceptionHandling().accessDeniedHandler(oauthAccessDeniedHandler);
        }

    }

    @Configuration
    @Order(3)                                                        
    public static class ResourceSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter{

        @Override
        public void configure(WebSecurity web) throws Exception {
            web
                .ignoring()
                    .antMatchers("/css/**","/js/**");
        }
    }

    @Configuration
    @Order(4)                                                        
    public static class AnonymousSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter{

        @Autowired
        OAuth2AuthenticationEntryPoint oauthAuthenticationEntryPoint;

        @Autowired
        AuthenticationFilter authenticationFilter;

        @Autowired
        PreAuthenticatedAuthenticationProvider authenticationProvider;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .authenticationProvider(authenticationProvider)
                .addFilterBefore(authenticationFilter, AnonymousAuthenticationFilter.class)
                .authorizeUrls().anyRequest().anonymous()
            .and()
                .authorizeUrls()
                .antMatchers("/authorize","confirm_access","/custom/authorize")
                .hasRole("USER")
            .and()
                .exceptionHandling().accessDeniedPage("/errors/access-denied.html");
        }
    }
}

With this config Spring Security tries to authenticate user for all endpoints, and displays generate login form, so custom filter is not added.
Where is my mistake ?

使用此配置 Spring Security 尝试对所有端点的用户进行身份验证,并显示生成登录表单,因此未添加自定义过滤器。
我的错误在哪里?

采纳答案by Rob Winch

Since your original configuration only contains two httpelements your new configuration should only contain two WebSecurityConfigurerAdapterinstances. Each WebSecurityConfigurerAdapterinstance is mapped using the http.antMatchers. Currently WebSecurityConfigurerAdapteris mapped to every URL.

由于您的原始配置仅包含两个http元素,因此您的新配置应仅包含两个WebSecurityConfigurerAdapter实例。每个WebSecurityConfigurerAdapter实例都使用http.antMatchers. 当前WebSecurityConfigurerAdapter映射到每个 URL。

You can refer to the reference for an exampleof how to use multiple WebSecurityConfigurerAdapterinstances (which is the equivalent of )

可以参考参考为一个例子的如何使用多个WebSecurityConfigurerAdapter实例(其是等效的)

相关推荐

Java 我们什么时候应该在字符串文字上使用字符串的实习生方法

Java 我们什么时候应该在字符串文字上使用字符串的实习生方法

JavaMail 中的错误:PKIX 路径构建失败,无法找到所请求目标的有效认证路径

JavaMail 中的错误:PKIX 路径构建失败,无法找到所请求目标的有效认证路径

Java 从文件中读取双精度值

Java 从文件中读取双精度值

Java 放入 <result> 标签时未执行 MyBatis 自定义 TypeHandler

Java 放入 <result> 标签时未执行 MyBatis 自定义 TypeHandler

相关推荐
最近更新
标签