[英]Spring Security oauth and turn off security for some urls but keep basic auth activated
I have project with working spring security oauth2. 我有与春季安全oauth2一起工作的项目。
The HttpSecurity Config looks like this: HttpSecurity Config如下所示:
http.antMatcher("/**").authorizeRequests().antMatchers(RESOURCE_LOCATIONS).permitAll().and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
.and().httpBasic().disable()
.authorizeRequests().anyRequest().authenticated();
With this set up, any request except the urls below RESOURCE_LOCATIONS are secured by ouath2 protocol. 通过此设置,除了RESOURCE_LOCATIONS下面的URL之外的任何请求均由ouath2协议保护。 HTTP Basic is turned off for those requests.
对于这些请求,HTTP Basic已关闭。
Now I want to have urls below /internal/** being secured, but only via HTTP Basic auth. 现在,我想确保/ internal / **下的URL受保护,但只能通过HTTP Basic auth进行保护。
I am trying something like this or similar approaches: 我正在尝试类似或类似的方法:
http.antMatcher("/**").authorizeRequests().antMatchers(RESOURCE_LOCATIONS).permitAll().and()
.antMatcher("/internal/**").httpBasic().and() //<--ADDED THIS LINE
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
.and().httpBasic().disable()
.authorizeRequests().anyRequest().authenticated();
but it surprisingly then ALL requests are public and without basic auth. 但是令人惊讶的是,所有请求都是公开的,并且没有基本身份验证。
Does anyone have a hint to solve this? 有没有人暗示要解决这个问题?
BR, Michael BR,迈克尔
Well, 好,
If you want to have url /internal/** being secured the better form is with hasRole('') and httpBasic. 如果要确保url / internal / **的安全,更好的形式是使用hasRole('')和httpBasic。 Your application and that needs to be authenticated by simple HTTP basic authentication.
您的应用程序需要通过简单的HTTP基本身份验证进行身份验证。 But other web pages should not be using HTTP basic but rather a the normal form login.
但是其他网页不应使用HTTP Basic,而应使用常规形式的登录名。 So you can create a WebSecurity just to url 'Internal' like below.
因此,您可以创建一个WebSecurity来仅将“内部”作为url,如下所示。 I hope this can help you!
希望对您有所帮助!
@Configuration
@Order(1)
public static class InternalWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.antMatcher("/internal/**")
.authorizeRequests()
.anyRequest().hasAnyRole("ADMIN", "USER")
.and()
.httpBasic();
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.