Spring API 路由问题的网络安全配置
Spring Web Security configuration for API routes issue
我有 Spring 带有 REST 的应用程序 API。
在我的 WebSecurityConfig 中,我配置了访问路由的权限。
这些是我的主要路线:
- /api/auth/login - 登录目的
- /api/admin/** - 仅限具有 "ADMIN"
角色的管理员访问
- /api/** - 任何经过身份验证的用户都可以访问
我对最后 2 个有问题。根据我的代码的变化,我有 "/api/admin/**" 路线可供所有人或任何人(甚至管理员)访问。是否有可能实现或者我应该将最后的路线更改为 "/api/common/**" (然后它工作正常)?
这是我的部分代码:
@Override
protected void configure(HttpSecurity http) throws Exception {
AjaxLoginFilter ajaxLoginFilter = ajaxLoginFilter();
http
.cors()
.and()
.csrf().disable()
.exceptionHandling()
.authenticationEntryPoint(this.authenticationEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/auth/login").permitAll()
.and()
.authorizeRequests()
.antMatchers("/api/**")
.authenticated()
.and()
.addFilterBefore(ajaxLoginFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(jwtTokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
.authorizeRequests()
.antMatchers("/api/admin/**")
.hasRole("ADMIN")
.and()
.addFilterBefore(ajaxLoginFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(jwtTokenAuthenticationFilterAdmin(), UsernamePasswordAuthenticationFilter.class);
}
protected JwtTokenAuthenticationFilter jwtTokenAuthenticationFilter() throws Exception {
List<String> pathsToSkip = Arrays.asList("/api/auth/login", "/api/admin/**");
SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, "/api/**");
JwtTokenAuthenticationFilter filter
= new JwtTokenAuthenticationFilter(failureHandler, tokenExtractor, matcher);
filter.setAuthenticationManager(this.authenticationManager);
return filter;
}
protected JwtTokenAuthenticationFilter jwtTokenAuthenticationFilterAdmin() throws Exception {
List<String> pathsToSkip = Arrays.asList("/api/auth/login", "/api/**");
SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, "/api/admin/**");
JwtTokenAuthenticationFilter filter
= new JwtTokenAuthenticationFilter(failureHandler, tokenExtractor, matcher);
filter.setAuthenticationManager(this.authenticationManager);
return filter;
}
在上面的代码中 "/api/admin/**" 任何人都无法访问。如果我从 pathsToSkip 列表中删除 "/api/**" jwtTokenAuthenticationFilterAdmin() 对管理员进行过滤,然后所有人都可以访问它。
所以问题是 - 我可以修复它还是我应该将任何经过身份验证的用户可访问的路由从 "/api/**"" 更改为 "/api/common/**"?
不要重复调用 authorizeRequests() 即:
...
.authorizeRequests()
.antMatchers("/api/auth/login").permitAll()
.antMatchers("/api/admin/**").hasRole("ADMIN")
.antMatchers("/api/**").authenticated()
.and()
.addFilterBefore(ajaxLoginFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(jwtTokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
...
我有 Spring 带有 REST 的应用程序 API。
在我的 WebSecurityConfig 中,我配置了访问路由的权限。
这些是我的主要路线:
- /api/auth/login - 登录目的
- /api/admin/** - 仅限具有 "ADMIN" 角色的管理员访问
- /api/** - 任何经过身份验证的用户都可以访问
我对最后 2 个有问题。根据我的代码的变化,我有 "/api/admin/**" 路线可供所有人或任何人(甚至管理员)访问。是否有可能实现或者我应该将最后的路线更改为 "/api/common/**" (然后它工作正常)?
这是我的部分代码:
@Override
protected void configure(HttpSecurity http) throws Exception {
AjaxLoginFilter ajaxLoginFilter = ajaxLoginFilter();
http
.cors()
.and()
.csrf().disable()
.exceptionHandling()
.authenticationEntryPoint(this.authenticationEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/auth/login").permitAll()
.and()
.authorizeRequests()
.antMatchers("/api/**")
.authenticated()
.and()
.addFilterBefore(ajaxLoginFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(jwtTokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
.authorizeRequests()
.antMatchers("/api/admin/**")
.hasRole("ADMIN")
.and()
.addFilterBefore(ajaxLoginFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(jwtTokenAuthenticationFilterAdmin(), UsernamePasswordAuthenticationFilter.class);
}
protected JwtTokenAuthenticationFilter jwtTokenAuthenticationFilter() throws Exception {
List<String> pathsToSkip = Arrays.asList("/api/auth/login", "/api/admin/**");
SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, "/api/**");
JwtTokenAuthenticationFilter filter
= new JwtTokenAuthenticationFilter(failureHandler, tokenExtractor, matcher);
filter.setAuthenticationManager(this.authenticationManager);
return filter;
}
protected JwtTokenAuthenticationFilter jwtTokenAuthenticationFilterAdmin() throws Exception {
List<String> pathsToSkip = Arrays.asList("/api/auth/login", "/api/**");
SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, "/api/admin/**");
JwtTokenAuthenticationFilter filter
= new JwtTokenAuthenticationFilter(failureHandler, tokenExtractor, matcher);
filter.setAuthenticationManager(this.authenticationManager);
return filter;
}
在上面的代码中 "/api/admin/**" 任何人都无法访问。如果我从 pathsToSkip 列表中删除 "/api/**" jwtTokenAuthenticationFilterAdmin() 对管理员进行过滤,然后所有人都可以访问它。
所以问题是 - 我可以修复它还是我应该将任何经过身份验证的用户可访问的路由从 "/api/**"" 更改为 "/api/common/**"?
不要重复调用 authorizeRequests() 即:
...
.authorizeRequests()
.antMatchers("/api/auth/login").permitAll()
.antMatchers("/api/admin/**").hasRole("ADMIN")
.antMatchers("/api/**").authenticated()
.and()
.addFilterBefore(ajaxLoginFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(jwtTokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
...