java Spring @EnableResourceServer 和@EnableWebSecurity
java Spring @EnableResourceServer and @EnableWebSecurity
我有 RESTful spring 资源服务器 @EnableResourceServer 并扩展 ResourceServerConfigurerAdapter
在documentations中说:
...In order to use this filter you must @EnableWebSecurity somewhere in your application, either in the same place as you use this annotation, or somewhere else.
但是当我到达 public @interface EnableResourceServer 时,我看到 ResourceServerConfiguration extends WebSecurityConfigurerAdapter。
问题:
那么纯 RESTful API 需要什么?
@EnableWebSecurity 任意 @Config- 延长
WebSecurityConfigurerAdapter?
- 1 + 2
- 都没有
我的配置
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class HGResourceServerConfigurerAdapter extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.cors().disable()
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.jee().disable()
.logout().disable()
.rememberMe().disable()
.servletApi().disable()
.x509().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.and().authorizeRequests().antMatchers(Url.API_ERROR_LOGS_FRONTEND).permitAll()
.and().authorizeRequests().antMatchers(Url.API_REGISTER_PATH).permitAll()
.and().authorizeRequests().antMatchers(Url.API_VERIFY_EMAIL_PATH).permitAll()
.and().authorizeRequests().antMatchers(Url.API_RESET_PASSWORD_PATH).permitAll()
.and().authorizeRequests().antMatchers(Url.API_CONFIRM_RESET_PASSWORD_PATH).permitAll()
.and().authorizeRequests().anyRequest().authenticated();
}
@Primary
@Bean
public RemoteTokenServices tokenService() {
RemoteTokenServices tokenService = new RemoteTokenServices();
tokenService.setCheckTokenEndpointUrl("http://localhost:8081/oauth/check_token");
tokenService.setClientId("client");
tokenService.setClientSecret("secret");
return tokenService;
}
//disable default user creation
@Bean
public UserDetailsService userDetailsService() throws Exception {
return new InMemoryUserDetailsManager();
}
//password encoder
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
不,启用 EnableWebSecurity 是隐式的。
我不推荐使用WebSecurityConfigurerAdapter,你会遇到一些麻烦:
,除此之外是否需要。
您可以通过查看此 OAuth2 resource server example 来向自己证明这一点。如果你去掉那里的@EnableWebSecurity注释,你会发现Spring安全过滤器链没有连线。
您仍然可以扩展 WebSecurityConfigurerAdapter 以将一般 Web 应用程序安全问题与特定于资源服务器配置的问题分开。这在技术上不是必需的,但可以实现 a cleaner separation of concerns.
我有 RESTful spring 资源服务器 @EnableResourceServer 并扩展 ResourceServerConfigurerAdapter
在documentations中说:
...In order to use this filter you must @EnableWebSecurity somewhere in your application, either in the same place as you use this annotation, or somewhere else.
但是当我到达 public @interface EnableResourceServer 时,我看到 ResourceServerConfiguration extends WebSecurityConfigurerAdapter。
问题: 那么纯 RESTful API 需要什么?
@EnableWebSecurity任意@Config- 延长
WebSecurityConfigurerAdapter? - 1 + 2
- 都没有
我的配置
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class HGResourceServerConfigurerAdapter extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.cors().disable()
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.jee().disable()
.logout().disable()
.rememberMe().disable()
.servletApi().disable()
.x509().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.and().authorizeRequests().antMatchers(Url.API_ERROR_LOGS_FRONTEND).permitAll()
.and().authorizeRequests().antMatchers(Url.API_REGISTER_PATH).permitAll()
.and().authorizeRequests().antMatchers(Url.API_VERIFY_EMAIL_PATH).permitAll()
.and().authorizeRequests().antMatchers(Url.API_RESET_PASSWORD_PATH).permitAll()
.and().authorizeRequests().antMatchers(Url.API_CONFIRM_RESET_PASSWORD_PATH).permitAll()
.and().authorizeRequests().anyRequest().authenticated();
}
@Primary
@Bean
public RemoteTokenServices tokenService() {
RemoteTokenServices tokenService = new RemoteTokenServices();
tokenService.setCheckTokenEndpointUrl("http://localhost:8081/oauth/check_token");
tokenService.setClientId("client");
tokenService.setClientSecret("secret");
return tokenService;
}
//disable default user creation
@Bean
public UserDetailsService userDetailsService() throws Exception {
return new InMemoryUserDetailsManager();
}
//password encoder
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
不,启用 EnableWebSecurity 是隐式的。
我不推荐使用WebSecurityConfigurerAdapter,你会遇到一些麻烦:
您可以通过查看此 OAuth2 resource server example 来向自己证明这一点。如果你去掉那里的@EnableWebSecurity注释,你会发现Spring安全过滤器链没有连线。
您仍然可以扩展 WebSecurityConfigurerAdapter 以将一般 Web 应用程序安全问题与特定于资源服务器配置的问题分开。这在技术上不是必需的,但可以实现 a cleaner separation of concerns.