Spring 安全忽略多个 HTTP 配置

Question

我一直在开发一个具有 Spring 安全性的 Web 应用程序，它有一些复杂的要求（支持数据库和 LDAP 身份验证、登录页面和 API），我已经基本弄明白了除了我无法得到的一件事：处理多个 http.我在 JAVA 中做所有事情，没有 web.xml。使用 Spring 调试，它识别所有三个，但它似乎只是将请求与第一个 http 进行比较，然后继续。这是我的代码：

AppConfig.java

@Configuration
@ComponentScan( { "com.mydomain.security" } )
@Import( { SecurityConfig.class } )
public class AppConfig{
    ...
}

SecurityConfig.java

@Configuration
@EnableWebSecurity
public class SecurityConfig{

    @Autowired
    Config cfg;

    @Autowired
    LdapContextSource ldapContextSource;

    @Autowired
    @Qualifier( "authenticationProviderDB" )
    AuthenticationProvider authenticationProviderDB;

    @Autowired
    @Qualifier( "authenticationProviderLDAP" )
    AuthenticationProvider authenticationProviderLDAP;

    @Autowired
    @Qualifier( "persistentRememberMeServices" )
    static RememberMeServices persistentRememberMeServices;

    @Autowired
    @Qualifier( "tokenRepository" )
    CustomTokenRepository tokenRepository;

    @Autowired
    public void configureGlobal( AuthenticationManagerBuilder auth )throws Exception{
        auth.authenticationProvider( authenticationProviderLDAP );
        auth.authenticationProvider( authenticationProviderDB );
    }

    @Configuration
    @Order( 1 )                                                        
    public static class RestWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter{
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests().antMatchers( "/api/**" ).hasRole("ROLE_USER").and().httpBasic()
            .and().exceptionHandling().accessDeniedPage( "/security/api" )
        }
    }

    @Configuration                                                   
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter{
        @Override
        protected void configure( HttpSecurity http )throws Exception{
            http.authorizeRequests().antMatchers( "/**" ).hasRole("ROLE_USER")
            .and().formLogin().loginPage( "/security/login" ).failureUrl( "/security/login?error" ).usernameParameter( "username" ).passwordParameter( "password" )
            .loginProcessingUrl("/j_spring_valuehere")
            .and().rememberMe().rememberMeServices( persistentRememberMeServices ).key( "key" )
            .and().addFilterBefore( (Filter)new CustomErrorHandlerFilter(), RememberMeAuthenticationFilter.class)
            .csrf().disable();
        }
    }
}

日志

8075 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy  - /index.jsp at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
8076 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher  - Checking match of request : '/index.jsp'; against '/security/**'
8076 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor  - Public object - authentication not attempted
8077 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy  - /index.jsp reached end of additional filter chain; proceeding with original chain

非常感谢对我可能遗漏的任何帮助。

Answer 1

尝试改变

http.authorizeRequests().antMatchers( "/api/**" ).hasRole("ROLE_USER").and().httpBasic()
        .and().exceptionHandling().accessDeniedPage( "/security/api" )

至

http.antMatcher("/api/**").authorizeRequests().antMatchers( "/api/**" ).hasRole("ROLE_USER").and().httpBasic()
        .and().exceptionHandling().accessDeniedPage( "/security/api" )

这将覆盖您设置的 /** 链。

Spring 安全忽略多个 HTTP 配置

Spring Security ignoring multiple HTTP configurations

java

spring

spring-mvc

spring-security