1. 首页
  2. 问答
  3. 弹簧安全 - 结合http basic和formlogin

弹簧安全 - 结合http basic和formlogin

2017-09-06 137 views
1

我已经编写了以下类来配置httpBasicformLogin。但是,formLogin身份验证不适用于上述网址。 HTTPBasic身份验证适用于上述的网址。好心帮明白是怎么回事错在这里弹簧安全 - 结合http basic和formlogin

import com.sun.research.ws.wadl.HTTPMethods; 
import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.context.annotation.Configuration; 
import org.springframework.core.annotation.Order; 
import org.springframework.http.HttpMethod; 
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; 
import org.springframework.security.config.annotation.web.builders.HttpSecurity; 
import org.springframework.security.config.annotation.web.builders.WebSecurity; 
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; 
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; 
import org.springframework.security.web.util.matcher.AntPathRequestMatcher; 



@EnableWebSecurity 
public class SpringSecurityConfig{ 

    /** 
    @Autowired 
    private AuthenticationEntryPoint authEntryPoint; 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     //http.csrf().disable().authorizeRequests() 
     //  .anyRequest().authenticated() 
     //  .and().httpBasic() 
     //  .authenticationEntryPoint(authEntryPoint); 
     http.csrf().disable().authorizeRequests() 
       .antMatchers(HttpMethod.GET,"/pay").permitAll() 
       .antMatchers(HttpMethod.GET,"/success").permitAll() 
       .antMatchers(HttpMethod.GET,"/cancel").permitAll() 
       .antMatchers(HttpMethod.POST,"/create-payment").permitAll() 
       .antMatchers(HttpMethod.POST,"/execute-payment").permitAll() 
       .antMatchers(HttpMethod.GET,"/api/ipad/sendSMS").hasRole("USER") 
       .antMatchers(HttpMethod.GET,"/api/ipad/deactivate").hasRole("USER") 
       .antMatchers(HttpMethod.GET,"/**").hasRole("USER") 
       .antMatchers(HttpMethod.POST,"/**").hasRole("USER") 
       .antMatchers(HttpMethod.PUT,"/**").hasRole("USER") 
       .antMatchers(HttpMethod.DELETE,"/**").hasRole("USER") 
       .antMatchers(HttpMethod.PATCH,"/**").hasRole("USER") 
       .and().httpBasic() 
       .authenticationEntryPoint(authEntryPoint); 
    } 
    **/ 
    @Autowired 
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { 
     auth.inMemoryAuthentication().withUser("admin").password("123abc").roles("USER"); 
    } 


    @Configuration 
    @Order(1) 
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { 



     protected void configure(HttpSecurity http) throws Exception { 
      http.csrf().disable().authorizeRequests() 
        .antMatchers(HttpMethod.GET,"/pay").permitAll() 
        .antMatchers(HttpMethod.GET,"/success").permitAll() 
        .antMatchers(HttpMethod.GET,"/cancel").permitAll() 
        .antMatchers(HttpMethod.POST,"/create-payment").permitAll() 
        .antMatchers(HttpMethod.POST,"/execute-payment").permitAll() 
        .antMatchers(HttpMethod.GET,"/api/ipad/sendSMS").hasRole("USER") 
        .antMatchers(HttpMethod.GET,"/api/ipad/deactivate").hasRole("USER") 
        .and().httpBasic(); 
        //.authenticationEntryPoint(authEntryPoint); 
     } 
    } 

// @Configuration 
// public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { 
// 
//  @Override 
//  protected void configure(HttpSecurity http) throws Exception { 
//   http.csrf().disable().authorizeRequests() 
//     .antMatchers(HttpMethod.GET,"/**").hasRole("USER") 
//     .antMatchers(HttpMethod.POST,"/**").hasRole("USER") 
//     .antMatchers(HttpMethod.PUT,"/**").hasRole("USER") 
//     .antMatchers(HttpMethod.DELETE,"/**").hasRole("USER") 
//     .antMatchers(HttpMethod.PATCH,"/**").hasRole("USER") 
//     .and().formLogin(); 
////   http 
////     .authorizeRequests() 
////     .anyRequest().authenticated() 
////     .and() 
////     .formLogin(); 
// 
//  } 
// } 
    @Configuration 
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { 

     @Override 
     protected void configure(HttpSecurity http) throws Exception { 
//   http 
//     .authorizeRequests() 
//     .anyRequest().authenticated() 
//     .and() 
//     .formLogin(); 
         http.authorizeRequests() 
        .antMatchers(HttpMethod.GET,"/**").hasRole("USER") 
        .antMatchers(HttpMethod.POST,"/**").hasRole("USER") 
        .antMatchers(HttpMethod.PUT,"/**").hasRole("USER") 
        .antMatchers(HttpMethod.DELETE,"/**").hasRole("USER") 
        .antMatchers(HttpMethod.PATCH,"/**").hasRole("USER") 
        .and().formLogin(); 
     } 
    } 


}

基本上,我在做什么在上面的配置是,如果用户访问比是在order(1)提到的其他任何网页,我希望应用程序基于使用形式认证。但是,身份验证仅适用于order(1)页面,其余部分不适用身份验证。请帮助理解我的配置是否不正确。

来源

2017-09-06 KItis

回答

1

您是否尝试过在同一个configure()方法中使用“formlogin”身份验证和“http basic”身份验证(用于其他api)?

也许它会帮助,甚至缩短代码。

实施例:

@Override 
    protected void configure(HttpSecurity http) throws Exception { 
    http 
    .formLogin() 
    .loginPage("/login") 
    .and() 
    .httpBasic() 
    .realmName("Spittr") 
    .and() 
    ... 
    }

“注意,和()方法用于链在一起的不同配置指令在配置()。”

(via Spring in Action第4版,第269页)

来源

2017-09-06 08:00:36 Z3d4s

相关问题

 相关问题