1. 首页
  2. 问答
  3. 如何在Spring MVC应用程序中添加两个安全策略?

如何在Spring MVC应用程序中添加两个安全策略?

2017-02-28 89 views
0

我正在写Spring应用程序来服务移动以及Web门户请求。 我已经添加了控制器来处理Web门户请求和RestController来处理移动请求。这是我在单个项目中完成的所有事情。如何在Spring MVC应用程序中添加两个安全策略?

我已将auth.xml配置为验证和全部。

<security:http pattern="/api/**" entry-point-ref="restAuthenticationEntryPoint" use-expressions="true" auto-config="false" create-session="stateless" >      
      <security:intercept-url pattern="/api/auth" access="permitAll" /> 
      <security:intercept-url pattern="/api/token" access="permitAll" /> 
      <security:custom-filter ref="authenticationTokenProcessingFilter" position="FORM_LOGIN_FILTER" /> 
      <security:intercept-url pattern="/api/**" access="isAuthenticated()" /> 


      <security:logout /> 
     </security:http> 

     <bean class="com.auth.TokenAuthenticationFilter" 
      id="authenticationTokenProcessingFilter"> 
      <constructor-arg type="java.lang.String"><value>/api/**</value></constructor-arg> 
     </bean> 


<!-- Code for REST API Authentication --> 

    <!-- create-session="stateless" --> 

    <security:http auto-config="false" use-expressions="true" entry-point-ref="ajaxAwareAuthenticationEntryPoint" disable-url-rewriting="true">  
     <security:intercept-url pattern="/login" access="permitAll()" /> 
     <security:intercept-url pattern="/**" access="isAuthenticated()" /> 


     <security:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationFilter" /> 
     <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" /> 

     <security:logout logout-url="/logout" logout-success-url="/login.do" invalidate-session="true" /> 
     <security:remember-me services-ref="rememberMeService" /> 
     <security:session-management session-authentication-strategy-ref="sas" /> 
     <security:csrf disabled="true"/> 

    </security:http>

但我想整合Spring OAuth 2.0。 任何人都可以有同样的想法吗?

来源

2017-02-28 Vishvesh Phadnis

回答

-1

试用春季安全。它具有内置的功能,您可以始终为您的目的覆盖现有的行为。

来源

2017-02-28 10:24:32 FaigB

+0

所提供的配置看起来像春天的安全性我.. – Tobb

+0

为了您的信息不作者标记有春天的安全,这意味着他不熟悉的Spring Security – FaigB

+0

这并不一定意味着问题,这可能意味着他不知道如何正确标记问题。问题中提供的配置仍然是Spring安全配置。 – Tobb

1

您可以为2个不同的路径配置2个不同的安全过滤器。这样,您可以对应用程序的不同路径进行不同的保护。通常,您希望“/ public/”可供任何人访问,而“/ api/”通过身份验证进行保护。

我强烈建议通过扩展WebSecurityConfigurerAdapter来配置Java中的Spring Security。

下面是一个示例Java配置,它只保护一些端点,同时让其他人可以公开访问。

@Configuration 
 
@EnableWebSecurity 
 
@EnableGlobalMethodSecurity(prePostEnabled=true) 
 
class SecurityConfig extends WebSecurityConfigurerAdapter { 
 
    private static final RequestMatcher PUBLIC_URLS = new OrRequestMatcher(
 
    new AntPathRequestMatcher("/**", OPTIONS.toString()), 
 
    new AntPathRequestMatcher("/public/**"), 
 
    new AntPathRequestMatcher("/health"), 
 
    // Spring Social 
 
    new AntPathRequestMatcher("/signin/**"), 
 
    new AntPathRequestMatcher("/auth/**"), 
 
    // Swagger Documentation 
 
    new AntPathRequestMatcher("/swagger-ui.html"), 
 
    new AntPathRequestMatcher("/v2/api-docs"), 
 
    new AntPathRequestMatcher("/swagger-resources/**"), 
 
    new AntPathRequestMatcher("/webjars/**") 
 
); 
 
    private static final RequestMatcher PROTECTED_URLS = new NegatedRequestMatcher(PUBLIC_URLS); 
 

 
    @Autowired 
 
    private RESTAuthenticationProvider authenticationProvider; 
 
    @Autowired 
 
    private TokenService credentials; 
 
    @Autowired 
 
    private UserSecurityService users; 
 

 
    @Override 
 
    protected void configure(final AuthenticationManagerBuilder auth) { 
 
    auth.authenticationProvider(authenticationProvider); 
 
    } 
 

 
    @Bean 
 
    @Override 
 
    public AuthenticationManager authenticationManagerBean() throws Exception { 
 
    return super.authenticationManagerBean(); 
 
    } 
 

 
    @Override 
 
    public void configure(final WebSecurity web) throws Exception { 
 
    web.ignoring().requestMatchers(PUBLIC_URLS); 
 
    } 
 

 
    @Override 
 
    protected void configure(final HttpSecurity http) throws Exception { 
 
    http 
 
     .exceptionHandling() 
 
     // this entry point handles when you request a protected page and you are not yet 
 
     // authenticated 
 
     .defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS) 
 
     .and() 
 
     .authenticationProvider(authenticationProvider) 
 
     .addFilterBefore(restAuthenticationFilter(), AnonymousAuthenticationFilter.class) 
 
     .authorizeRequests() 
 
     .anyRequest() 
 
     .authenticated() 
 
     .and() 
 
     .csrf().disable() 
 
     .formLogin().disable() 
 
     .httpBasic().disable() 
 
     .logout().disable() 
 
     .sessionManagement().disable(); 
 
    } 
 

 
    @Bean 
 
    RESTAuthenticationFilter restAuthenticationFilter() throws Exception { 
 
    final RESTAuthenticationFilter filter = 
 
     new RESTAuthenticationFilter(PROTECTED_URLS, credentials); 
 
    filter.setAuthenticationManager(authenticationManagerBean()); 
 
    filter.setAuthenticationSuccessHandler(getSuccessHandler()); 
 
    return filter; 
 
    } 
 

 
    // Upon successful authentication, Spring will attempt to try and move you to another URL 
 
    // We have to prevent this because the request for the resource and the authentication all get done in the same request! 
 
    @Bean 
 
    SimpleUrlAuthenticationSuccessHandler getSuccessHandler() { 
 
    final SimpleUrlAuthenticationSuccessHandler successHandler = new SimpleUrlAuthenticationSuccessHandler(); 
 
    successHandler.setRedirectStrategy(new NoRedirectStrategy()); 
 
    return successHandler; 
 
    } 
 

 
    @Bean 
 
    AuthenticationEntryPoint forbiddenEntryPoint() { 
 
    return new Http401AuthenticationEntryPoint("Bearer"); 
 
    } 
 

 
}

来源

2017-02-28 10:42:12

+0

谢谢@ Octoperf.com –

相关问题

 相关问题