将多个安全 http 配置从 xml 转换为 java 配置

Convert multiple securiy http configuration from xml to java configuration

我的 xml 中有多个 security:http 配置,具有不同的入口点参考。我正在尝试将此配置转换为 java 配置。

我读到可以使用多个子 类 扩展 WebSecurityConfigurerAdapter

我应该如何在 java 配置中为每个配置入口点参考?

下面是 xml 配置。

<security:http request-matcher-ref="preReqMatcher" auto-config="false" use-expressions="false" entry-point-    ref="preAuthenticatedProcessingFilterEntryPoint">
    <custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter" />
    <custom-filter after="CAS_FILTER" ref="attrFilter" />
    <intercept-url pattern="/**" access="ROLE_USER" />  
    <csrf disabled="true"/> 
</security:http> 

<security:http auto-config="true" entry-point-ref="casEntryPoint" use-expressions="false" disable-url-rewriting="false">
    <custom-filter position="CAS_FILTER" ref="casFilter" />
    <custom-filter after="CAS_FILTER" ref="attrFilter" />
    <intercept-url pattern="/**" access="ROLE_USER" />
    <custom-filter ref="testFilter" before="CAS_FILTER" />
    <csrf disabled="true"/>
</security:http>

使用 Java classes 的安全配置首先为 "web" 部分(请求)和 org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration 用于 "global" 部分(服务层)。

在 WebSecurityConfigurerAdapter 的子 class 中,您必须覆盖一些 "configure(...)" 方法:(仅示例...)

public void configure(final WebSecurity web) throws Exception {
            //  @formatter:off
            web.ignoring()
                .antMatchers("/*.html","/*.ico","/css/**","/html/**","/i18n/**","/img/**","/js/**","/lib/**");
            //  @formatter:on
}

protected void configure(final HttpSecurity http) throws Exception {

http.headers()
                .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
                .and()
                    .csrf().disable()
                    .addFilterAfter(jeePreAuthenticatedFilter(), AbstractPreAuthenticatedProcessingFilter.class)
                    .addFilterBefore(new BasicAuthenticationFilter(authenticationManagerBean()),
                        UsernamePasswordAuthenticationFilter.class)
                    .addFilterBefore(switchUserProcessingFilter(), SwitchUserFilter.class)
                    .authorizeRequests()
                        .antMatchers("/*.html","/*.ico","/css/**","/html/**","/i18n/**","/img/**","/js/**","/lib/**").permitAll()
                        .anyRequest().authenticated()

                .and()
                    .sessionManagement()
                    .sessionFixation().none().maximumSessions(maxSessionsPerUser)
                    .sessionRegistry(sessionRegistry)
                ;

}

protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(basicDAOAuthenticationProvider());
    auth.authenticationProvider(preauthAuthProvider());
}

在那个 @Configuration class 中,您 should/could 也有用于 MethodSecurityMetadataSource、AccessDecisionManager、AccessDecisionVoter 的 bean,...您的身份验证提供程序,...

你的@Configuration 的原理相同,子class of GlobalMethodSecurityConfiguration:

protected AccessDecisionManager accessDecisionManager() {
...
}

protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
...
}

protected MethodSecurityExpressionHandler createExpressionHandler() {
    ...;
}


@Bean
public MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
...
}

以下是我想出的配置入口点的方法。

http.httpBasic().authenticationEntryPoint(preAuthenticatedProcessingFilterEntryPoint);