在Spring Security中将HttpBasic和FormLogin与Spring-boot-starter混合使用
[英]Mix HttpBasic and FormLogin in Spring Security with Spring-boot-starter
问题描述
I use spring-boot-starter 0.5.0.M6 with spring security to build my application which contains: 
我使用具有弹簧安全性的spring-boot-starter 0.5.0.M6构建包含以下内容的应用程序:
- "/admin/ "**: should be accessible to anyone have role ADMIN, form-based login “ / admin / ” **:具有ADMIN角色,基于表单的登录名的任何人都应该可以访问
- "/api/ "**: should be accessible to anyone have role API, http basic login “ / api / ” **:具有角色API,http基本登录名的任何人都应该可以访问
My first attempt was: 我的第一次尝试是:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.and()
.formLogin()
.defaultSuccessUrl("/admin/home")
.loginPage("/login")
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET"))
.permitAll();
http
.authorizeRequests()
.antMatchers("/api/**").hasRole("API")
.and()
.httpBasic();
}
With this approach: 使用这种方法:
- all the "/admin/ " and "/api/ " can authentication use both basic & form-based login. 所有的“ / admin / ”和“ / api / ”都可以使用基本和基于表单的身份验证进行身份验证。 This is not a critical issue. 这不是关键问题。
- when any security issue occurred, eg: authentication failed, or authorization failed, the login form is shown. 当发生任何安全问题(例如:身份验证失败或授权失败)时,将显示登录表单。 This is a critical issue, I want if /api/** get authentication failed or authorization failed, it show the basic authentication popup with 401/403 status code. 这是一个关键问题,如果/ api / **获得身份验证失败或授权失败,我希望它显示带有401/403状态码的基本身份验证弹出窗口。
Then I try with the solution from https://github.com/spring-projects/spring-security-javaconfig/blob/master/samples-web.md#sample-multi-http-web-configuration , but I only able to secure either /api/** or /admin/** but not both, depends on which one I annotated with @Order . 然后我尝试使用https://github.com/spring-projects/spring-security-javaconfig/blob/master/samples-web.md#sample-multi-http-web-configuration的解决方案,但我只能保护/api/**或/admin/**但不能同时保护二者,取决于我使用@Order注释的哪个。
Please give me a hand. 请帮我一下。
Thanks much 非常感谢
1 个解决方案
解决方案1
4 2014-03-27 18:20:36
For your api part, use the following. 对于您的api部分,请使用以下内容。 Note the first ant matcher that limits the scope of what is filtered by this security configuration. 请注意,第一个蚂蚁匹配器限制了此安全配置过滤的内容的范围。 That was the part I did not understand at first from your reference. 那是我起初从您的参考文献中不了解的部分。
@Configuration
@Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
// the ant matcher is what limits the scope of this configuration.
http.antMatcher("/api/**").authorizeRequests()
.antMatchers("/api/**").authenticated()
.and().httpBasic().realmName("Sourcing API");
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.