Spring Boot: Authenticating both a Stateless REST API and a Stateful “Login” Web Controller in the same project?

前端 未结 1 1539
南旧
南旧 2021-02-04 22:59

So I have an application that contains a REST API which is used by a custom java application on an IOT device with no user interaction.And I also have a web app which needs a st

1条回答
  •  囚心锁ツ
    2021-02-04 23:10

    One way to achieve what you are looking for is to have 2 configurations in your spring security. E.g.

    Pay attention to antMatcher (matcher not matchers). The antMatcher will control on what set of url your entire config applies i.e. FormLoginWebSecurityConfigurerAdapter in below example will apply only to uri matching /api/test/**. Of course, you can define the antMatcher only in one of the configs say config1 and the other config in that case will be a catch all (i.e catch everything that does not match config1)

    @EnableWebSecurity
    @Configuration
    public class SecurityConfig {
    
    
        @Configuration
        @Order(1)                                                        
        public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
    
            @Override       
            public void configure(AuthenticationManagerBuilder auth) 
              throws Exception {            
                auth.inMemoryAuthentication().withUser("user").password("user").roles("USER");
                auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN");
            }
    
            protected void configure(HttpSecurity http) throws Exception {
    http.sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    
                http
                    .antMatcher("/api/v1/**")                               
                    .authorizeRequests()
                    .antMatchers("/api/v1/**").authenticated()
                        .and()
                    .httpBasic();
            }
        }
    
        @Configuration
        @Order(2)
        public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
    
            @Override       
            public void configure(AuthenticationManagerBuilder auth) 
              throws Exception {
    
                auth.inMemoryAuthentication().withUser("user1").password("user").roles("USER");
                auth.inMemoryAuthentication().withUser("admin1").password("admin").roles("ADMIN");
            }
    
            @Override
            protected void configure(HttpSecurity http) throws Exception {
    http.sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED); // CONFIGURE TYPE OF SESSION POLICY
                http
                    .antMatcher("/api/test/**")
                    .authorizeRequests()
                    .antMatchers("/api/test/**").authenticated()
                        .and()
                    .formLogin();
            }
        }
    }
    

    0 讨论(0)
提交回复
热议问题