堆栈内存溢出
  简体   繁体   English

Spring Security oauth并关闭某些URL的安全性,但保持基本身份验证处于激活状态

[英]Spring Security oauth and turn off security for some urls but keep basic auth activated

 原文  2016-06-30 12:52:10       java/ spring/ security/ spring-security

问题描述

I have project with working spring security oauth2. 我有与春季安全oauth2一起工作的项目。

The HttpSecurity Config looks like this: HttpSecurity Config如下所示: 

http.antMatcher("/**").authorizeRequests().antMatchers(RESOURCE_LOCATIONS).permitAll().and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
            .and().httpBasic().disable()
            .authorizeRequests().anyRequest().authenticated();

With this set up, any request except the urls below RESOURCE_LOCATIONS are secured by ouath2 protocol. 通过此设置,除了RESOURCE_LOCATIONS下面的URL之外的任何请求均由ouath2协议保护。 HTTP Basic is turned off for those requests. 对于这些请求,HTTP Basic已关闭。

Now I want to have urls below /internal/** being secured, but only via HTTP Basic auth. 现在,我想确保/ internal / **下的URL受保护,但只能通过HTTP Basic auth进行保护。

I am trying something like this or similar approaches: 我正在尝试类似或类似的方法: 

http.antMatcher("/**").authorizeRequests().antMatchers(RESOURCE_LOCATIONS).permitAll().and()
            .antMatcher("/internal/**").httpBasic().and() //<--ADDED THIS LINE
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
            .and().httpBasic().disable()
            .authorizeRequests().anyRequest().authenticated();

but it surprisingly then ALL requests are public and without basic auth. 但是令人惊讶的是,所有请求都是公开的,并且没有基本身份验证。

Does anyone have a hint to solve this? 有没有人暗示要解决这个问题?

BR, Michael BR,迈克尔

1 个解决方案

解决方案1
 1  2016-06-30 14:15:40

Well, 好,

If you want to have url /internal/** being secured the better form is with hasRole('') and httpBasic. 如果要确保url / internal / **的安全,更好的形式是使用hasRole('')和httpBasic。 Your application and that needs to be authenticated by simple HTTP basic authentication. 您的应用程序需要通过简单的HTTP基本身份验证进行身份验证。 But other web pages should not be using HTTP basic but rather a the normal form login. 但是其他网页不应使用HTTP Basic,而应使用常规形式的登录名。 So you can create a WebSecurity just to url 'Internal' like below. 因此,您可以创建一个WebSecurity来仅将“内部”作为url,如下所示。 I hope this can help you! 希望对您有所帮助! 

@Configuration
@Order(1)
public static class InternalWebSecurityConfig extends WebSecurityConfigurerAdapter{
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .antMatcher("/internal/**")
                .authorizeRequests()
                    .anyRequest().hasAnyRole("ADMIN", "USER")
                    .and()
                .httpBasic();
    }
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Security-基本身份验证 - Spring security - Basic auth 具有基本身份验证和OAuth订单问题的Spring Boot安全性 - Spring Boot Security with Basic Auth and OAuth Order Issue Spring Security条件基础认证 - Spring Security Conditional Basic Auth 具有 spring 安全性的多基本身份验证 - Multi basic auth with spring security 如何在Spring Security中关闭Websocket的身份验证? - How to turn off authentication for websockets in Spring Security? Spring Security Oauth2允许所有URL - Spring Security Oauth2 all urls are permitted 为Oauth和Http Basic身份验证配置Spring Security - Configuring Spring Security for Oauth and Http Basic authentication Spring Security for REST API的Basic Auth中的UserAuthorities - UserAuthorities in Basic Auth with Spring Security for REST API Spring Security Basic Auth Prompt出现 - Spring Security Basic Auth Prompt Appearing 在Spring Security中如何通过我的基本身份验证配置和我的oauth配置允许“ / api / **” - How to allow “/api/**” through my basic auth config and into my oauth config in Spring Security
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM