将多个安全 http 配置从 xml 转换为 java 配置
Convert multiple securiy http configuration from xml to java configuration
我的 xml 中有多个 security:http
配置,具有不同的入口点参考。我正在尝试将此配置转换为 java 配置。
我读到可以使用多个子 类 扩展 WebSecurityConfigurerAdapter
。
我应该如何在 java 配置中为每个配置入口点参考?
下面是 xml 配置。
<security:http request-matcher-ref="preReqMatcher" auto-config="false" use-expressions="false" entry-point- ref="preAuthenticatedProcessingFilterEntryPoint">
<custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter" />
<custom-filter after="CAS_FILTER" ref="attrFilter" />
<intercept-url pattern="/**" access="ROLE_USER" />
<csrf disabled="true"/>
</security:http>
<security:http auto-config="true" entry-point-ref="casEntryPoint" use-expressions="false" disable-url-rewriting="false">
<custom-filter position="CAS_FILTER" ref="casFilter" />
<custom-filter after="CAS_FILTER" ref="attrFilter" />
<intercept-url pattern="/**" access="ROLE_USER" />
<custom-filter ref="testFilter" before="CAS_FILTER" />
<csrf disabled="true"/>
</security:http>
使用 Java classes 的安全配置首先为 "web" 部分(请求)和 org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration 用于 "global" 部分(服务层)。
在 WebSecurityConfigurerAdapter 的子 class 中,您必须覆盖一些 "configure(...)" 方法:(仅示例...)
public void configure(final WebSecurity web) throws Exception {
// @formatter:off
web.ignoring()
.antMatchers("/*.html","/*.ico","/css/**","/html/**","/i18n/**","/img/**","/js/**","/lib/**");
// @formatter:on
}
protected void configure(final HttpSecurity http) throws Exception {
http.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
.and()
.csrf().disable()
.addFilterAfter(jeePreAuthenticatedFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.addFilterBefore(new BasicAuthenticationFilter(authenticationManagerBean()),
UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(switchUserProcessingFilter(), SwitchUserFilter.class)
.authorizeRequests()
.antMatchers("/*.html","/*.ico","/css/**","/html/**","/i18n/**","/img/**","/js/**","/lib/**").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement()
.sessionFixation().none().maximumSessions(maxSessionsPerUser)
.sessionRegistry(sessionRegistry)
;
}
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(basicDAOAuthenticationProvider());
auth.authenticationProvider(preauthAuthProvider());
}
在那个 @Configuration class 中,您 should/could 也有用于 MethodSecurityMetadataSource、AccessDecisionManager、AccessDecisionVoter 的 bean,...您的身份验证提供程序,...
你的@Configuration 的原理相同,子class of GlobalMethodSecurityConfiguration:
protected AccessDecisionManager accessDecisionManager() {
...
}
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
...
}
protected MethodSecurityExpressionHandler createExpressionHandler() {
...;
}
@Bean
public MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
...
}
以下是我想出的配置入口点的方法。
http.httpBasic().authenticationEntryPoint(preAuthenticatedProcessingFilterEntryPoint);
我的 xml 中有多个 security:http
配置,具有不同的入口点参考。我正在尝试将此配置转换为 java 配置。
我读到可以使用多个子 类 扩展 WebSecurityConfigurerAdapter
。
我应该如何在 java 配置中为每个配置入口点参考?
下面是 xml 配置。
<security:http request-matcher-ref="preReqMatcher" auto-config="false" use-expressions="false" entry-point- ref="preAuthenticatedProcessingFilterEntryPoint">
<custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter" />
<custom-filter after="CAS_FILTER" ref="attrFilter" />
<intercept-url pattern="/**" access="ROLE_USER" />
<csrf disabled="true"/>
</security:http>
<security:http auto-config="true" entry-point-ref="casEntryPoint" use-expressions="false" disable-url-rewriting="false">
<custom-filter position="CAS_FILTER" ref="casFilter" />
<custom-filter after="CAS_FILTER" ref="attrFilter" />
<intercept-url pattern="/**" access="ROLE_USER" />
<custom-filter ref="testFilter" before="CAS_FILTER" />
<csrf disabled="true"/>
</security:http>
使用 Java classes 的安全配置首先为 "web" 部分(请求)和 org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration 用于 "global" 部分(服务层)。
在 WebSecurityConfigurerAdapter 的子 class 中,您必须覆盖一些 "configure(...)" 方法:(仅示例...)
public void configure(final WebSecurity web) throws Exception {
// @formatter:off
web.ignoring()
.antMatchers("/*.html","/*.ico","/css/**","/html/**","/i18n/**","/img/**","/js/**","/lib/**");
// @formatter:on
}
protected void configure(final HttpSecurity http) throws Exception {
http.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
.and()
.csrf().disable()
.addFilterAfter(jeePreAuthenticatedFilter(), AbstractPreAuthenticatedProcessingFilter.class)
.addFilterBefore(new BasicAuthenticationFilter(authenticationManagerBean()),
UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(switchUserProcessingFilter(), SwitchUserFilter.class)
.authorizeRequests()
.antMatchers("/*.html","/*.ico","/css/**","/html/**","/i18n/**","/img/**","/js/**","/lib/**").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement()
.sessionFixation().none().maximumSessions(maxSessionsPerUser)
.sessionRegistry(sessionRegistry)
;
}
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(basicDAOAuthenticationProvider());
auth.authenticationProvider(preauthAuthProvider());
}
在那个 @Configuration class 中,您 should/could 也有用于 MethodSecurityMetadataSource、AccessDecisionManager、AccessDecisionVoter 的 bean,...您的身份验证提供程序,...
你的@Configuration 的原理相同,子class of GlobalMethodSecurityConfiguration:
protected AccessDecisionManager accessDecisionManager() {
...
}
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
...
}
protected MethodSecurityExpressionHandler createExpressionHandler() {
...;
}
@Bean
public MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
...
}
以下是我想出的配置入口点的方法。
http.httpBasic().authenticationEntryPoint(preAuthenticatedProcessingFilterEntryPoint);