[英]Mix HttpBasic and FormLogin in Spring Security with Spring-boot-starter
I use spring-boot-starter 0.5.0.M6 with spring security to build my application which contains: 我使用具有弹簧安全性的spring-boot-starter 0.5.0.M6构建包含以下内容的应用程序:
My first attempt was: 我的第一次尝试是:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.and()
.formLogin()
.defaultSuccessUrl("/admin/home")
.loginPage("/login")
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET"))
.permitAll();
http
.authorizeRequests()
.antMatchers("/api/**").hasRole("API")
.and()
.httpBasic();
}
With this approach: 使用这种方法:
Then I try with the solution from https://github.com/spring-projects/spring-security-javaconfig/blob/master/samples-web.md#sample-multi-http-web-configuration
, but I only able to secure either /api/**
or /admin/**
but not both, depends on which one I annotated with @Order
. 然后我尝试使用https://github.com/spring-projects/spring-security-javaconfig/blob/master/samples-web.md#sample-multi-http-web-configuration
的解决方案,但我只能保护/api/**
或/admin/**
但不能同时保护二者,取决于我使用@Order
注释的哪个。
Please give me a hand. 请帮我一下。
Thanks much 非常感谢
For your api part, use the following. 对于您的api部分,请使用以下内容。 Note the first ant matcher that limits the scope of what is filtered by this security configuration. 请注意,第一个蚂蚁匹配器限制了此安全配置过滤的内容的范围。 That was the part I did not understand at first from your reference. 那是我起初从您的参考文献中不了解的部分。
@Configuration
@Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
// the ant matcher is what limits the scope of this configuration.
http.antMatcher("/api/**").authorizeRequests()
.antMatchers("/api/**").authenticated()
.and().httpBasic().realmName("Sourcing API");
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.