Spring Security : Multiple HTTP Config not working

后端 未结 2 814
深忆病人
深忆病人 2020-11-22 13:27

I am trying to use Spring Security and I have a use case where I want different login pages and different set of URLs to be secured.

Here is my configuration:

<
相关标签:
2条回答
  • 2020-11-22 13:47

    Look at the Spring Security Reference:

    @EnableWebSecurity
    public class MultiHttpSecurityConfig {
      @Autowired
      public void configureGlobal(AuthenticationManagerBuilder auth) { 1
          auth
              .inMemoryAuthentication()
                  .withUser("user").password("password").roles("USER").and()
                  .withUser("admin").password("password").roles("USER", "ADMIN");
      }
    
      @Configuration
      @Order(1)                                                        2
      public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
          protected void configure(HttpSecurity http) throws Exception {
              http
                  .antMatcher("/api/**")                               3
                  .authorizeRequests()
                      .anyRequest().hasRole("ADMIN")
                      .and()
                  .httpBasic();
          }
      }    
    
      @Configuration                                                   4
      public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
    
          @Override
          protected void configure(HttpSecurity http) throws Exception {
              http
                  .authorizeRequests()
                      .anyRequest().authenticated()
                      .and()
                  .formLogin();
          }
      }
    }
    

    1 Configure Authentication as normal

    2 Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.

    3 The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/

    4 Create another instance of WebSecurityConfigurerAdapter. If the URL does not start with /api/ this configuration will be used. This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).

    Your second configuration is not used, because your first configuration matches /** (no antMatcher configured). And your first configuration restricts only /admin/**, all other URLs are permitted by default.

    0 讨论(0)
  • 2020-11-22 13:57

    Your first WebSecurityConfigurerAdapter's

    http
                .authorizeRequests()
    

    matches all the URLs, limit it to only URLs start with /admin by using antMatcher:

    @Configuration
    @Order(1)
    public static class ProviderSecurity extends WebSecurityConfigurerAdapter{
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/admin/**")
                    .authorizeRequests()
                    .antMatchers("/admin/login").permitAll()
                    .antMatchers("/admin/**").access("hasRole('BASE_USER')")
                    .and()
    
                    ...
    
    0 讨论(0)
提交回复
热议问题