结合Spring HTTP基本身份验证和访问令牌
[英]Combine Spring HTTP Basic Authentication and Access Token
问题描述
How to combine Spring HTTP Basic Authentication and Access Token for both would work simultaneously? 
如何结合Spring HTTP基本身份验证和访问令牌两者同时工作? In my case only configuration with Order(1) does works. 在我的情况下,只有Order(1)的配置才有效。
I want that all */api**/* would be accessed only for users with token and */web**/* would be accessed only for login users. 我希望只有具有令牌的用户才能访问所有* / api ** / *,而* / web ** / *仅供登录用户访问。
WebSecurityConfig.java WebSecurityConfig.java
@Configuration
@EnableWebMvcSecurity
@Order(1)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/web/**", "/gopr").authenticated().and().authorizeRequests()
.and()
.formLogin().loginPage("/login").permitAll()
.defaultSuccessUrl("/gopr", true).permitAll().and().logout().logoutSuccessUrl("/login").permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
}
Application.java Application.java
@SpringBootApplication
@EnableResourceServer
@Order(2)
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients.inMemory()
.withClient("my-trusted-client")
.authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit", "client_credentials")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "trust")
.resourceIds("oauth2-resource")
.secret("password")
.accessTokenValiditySeconds(600);
// @formatter:on
}
}
@Configuration
@EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/web/**", "/login", "/index", "/").permitAll()
.antMatchers("/api/**").authenticated();
/* antMatchers("/web/**", "/gopr").permitAll().antMatchers("/api/**").authenticated(); */
}
}
}
1 个解决方案
解决方案1
4 2015-10-09 15:39:30
Always use 'requestMatchers()' when creating security filters. 创建安全过滤器时始终使用'requestMatchers()'。 This way when multiple filter chains are created, only the first filter chain will not be used. 这样,当创建多个过滤器链时,将不使用第一个过滤器链。
Modify both your WebSecurityConfig.java as : 将您的WebSecurityConfig.java修改为:
@Configuration
@EnableWebMvcSecurity
@Order(1)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/web/**", "/gopr")
.and()
.authorizeRequests().antMatchers("/web/**", "/gopr").authenticated().
.and()
.formLogin().loginPage("/login").permitAll()
.defaultSuccessUrl("/gopr", true).permitAll().and().logout().logoutSuccessUrl("/login").permitAll();
}
...
}
and your ResourceServer inner class as : 和您的ResourceServer内部类:
@Configuration
@EnableResourceServer
protected static class ResourceServer extends
ResourceServerConfigurerAdapter {
...
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/api/**").and()
.authorizeRequests().antMatchers("/api/**").authenticated();
}
}
Reference : https://github.com/royclarkson/spring-rest-service-oauth/issues/11 参考: https : //github.com/royclarkson/spring-rest-service-oauth/issues/11
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.