Spring 安全 4 个自定义匹配器
Spring Security 4 customize matchers
我有一些本地服务映射到相同的基础 url 部分。用户的这项服务应该关闭,但其中一项服务由 ZooKeeper 使用,应该打开。
所以我配置了:
@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("us").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/inner/service/**").hasRole("USER")
.and().antMatcher("/inner/service/event/bus").csrf().disable().anonymous()
.and().formLogin().and().logout().and().httpBasic();
}
}
此配置无效。我不仅为活动提供开放服务。每个服务都是开放的。如果我将配置更改为:
@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("us").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/inner/service/**").hasRole("USER")
.and().formLogin().and().logout().and().httpBasic();
}
}
所有服务都关闭了。
是否可以到处配置匿名请求
"/**"
通过路径验证的服务
"/inner/service/**"
开一个
"/inner/service/event/bus"
?
P.S。
开放服务用于 ZooKeeper 响应。
解决方案是:
移动到其他路径(以提供未交叉的通行证)
"/inner/service/event/bus"
// for example
"/inner/event/bus"
更改 http 安全配置:
@Override
protected void configure(HttpSecurity http) throws Exception {
// to ignore csrf filter for zookeeper client api
http.csrf().ignoringAntMatchers("/inner/event/bus");
// configure the HttpSecurity
http.antMatcher("/inner/service/**").authorizeRequests()
// configure open resources. this configuration can be missed because of root level security (see line before)
.antMatchers("/", "/index.html", "/inner/event/bus", "view.html").permitAll()
// configure role for specified api
.antMatchers("/inner/service/**").hasRole("USER")
// to use default login and logout api
.and().formLogin().and().logout().logoutSuccessUrl("/").and().httpBasic();
}
如果我删除一条指令,此解决方案也有效:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().ignoringAntMatchers("/inner/event/bus");
http.antMatcher("/inner/service/**").authorizeRequests()
.antMatchers("/inner/service/**").hasRole("USER")
.and().formLogin().and().logout().logoutSuccessUrl("/").and().httpBasic();
}
还有一点很重要(我认为很重要)。
我已从我的 *.yml 文件中删除所有安全自定义。
我有一些本地服务映射到相同的基础 url 部分。用户的这项服务应该关闭,但其中一项服务由 ZooKeeper 使用,应该打开。 所以我配置了:
@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("us").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/inner/service/**").hasRole("USER")
.and().antMatcher("/inner/service/event/bus").csrf().disable().anonymous()
.and().formLogin().and().logout().and().httpBasic();
}
}
此配置无效。我不仅为活动提供开放服务。每个服务都是开放的。如果我将配置更改为:
@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("us").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/inner/service/**").hasRole("USER")
.and().formLogin().and().logout().and().httpBasic();
}
}
所有服务都关闭了。
是否可以到处配置匿名请求
"/**"
通过路径验证的服务
"/inner/service/**"
开一个
"/inner/service/event/bus"
?
P.S。 开放服务用于 ZooKeeper 响应。
解决方案是:
移动到其他路径(以提供未交叉的通行证)
"/inner/service/event/bus" // for example "/inner/event/bus"更改 http 安全配置:
@Override protected void configure(HttpSecurity http) throws Exception { // to ignore csrf filter for zookeeper client api http.csrf().ignoringAntMatchers("/inner/event/bus"); // configure the HttpSecurity http.antMatcher("/inner/service/**").authorizeRequests() // configure open resources. this configuration can be missed because of root level security (see line before) .antMatchers("/", "/index.html", "/inner/event/bus", "view.html").permitAll() // configure role for specified api .antMatchers("/inner/service/**").hasRole("USER") // to use default login and logout api .and().formLogin().and().logout().logoutSuccessUrl("/").and().httpBasic(); }
如果我删除一条指令,此解决方案也有效:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().ignoringAntMatchers("/inner/event/bus");
http.antMatcher("/inner/service/**").authorizeRequests()
.antMatchers("/inner/service/**").hasRole("USER")
.and().formLogin().and().logout().logoutSuccessUrl("/").and().httpBasic();
}
还有一点很重要(我认为很重要)。 我已从我的 *.yml 文件中删除所有安全自定义。