SpringBoot基本身份验证忽略以.wsdl结尾的URL
[英]SpringBoot basic auth ignore URLs ending with .wsdl
问题描述
I'm using basicAuth in my spring boot project. 
我在春季启动项目中使用basicAuth 。
There is a requirement that service URLs should be authenticated, while on WSDL, there should be no authentication. 要求对服务URL进行身份验证,而在WSDL上,不应进行身份验证。
I want to maintain all the authenticated & ignored URLs in application.yml file. 我想维护application.yml文件中所有经过身份验证和忽略的URL。
Something like: 就像是:
auth.authenticated: /onlineshop/v1/ecart,/onlineshop/v1/wishlist
auth.ignored: /onlineshop/v1/ecart.wsdl,/onlineshop/v1/wishlist.wsdl
@EnableWebSecurity
@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${auth.authenticated}")
String[] allAuthenticated;
@Value("${auth.ignored}")
String[] allIgnored;
@Override
protected void configure(HttpSecurity http) throws Exception {
// Something like
for (String ignored: allIgnored) {
http.authorizeRequests().antMatchers(ignored).permitAll();
}
// Something like
for (String authenticated: allAuthenticated) {
http.authorizeRequests().antMatchers(authenticated).authenticated();
}
....
}
}
Above code is a rough draft ( sorry for that ), but I've tried coding along these lines but it is not working. 上面的代码是草稿( 对此感到抱歉 ),但是我尝试按照这些思路进行编码,但是它不起作用。
It is not applying any sort of authentication. 它没有应用任何形式的身份验证。
Please suggest how can I make this work. 请提出如何进行这项工作的建议。
Also, instead of ignoring selective URLs ending .wsdl, how can I ignore all URLs ending with .wsdl 另外,除了忽略以.wsdl结尾的选择性URL之外,我如何忽略以.wsdl结尾的所有URL。
Thank You 谢谢
1 个解决方案
解决方案1
2 2017-03-17 07:07:51
First of all, I believe you should do a whitelisting approach for allowing unauthenticated accesses. 首先,我相信您应该对允许未经身份验证的访问进行白名单处理。 Therefore I have removed allAuthenticated parameter and required authentication for every url which is not in allIgnored parameter, which is safer by design. 因此,我删除了allAuthenticated参数,并为不在allIgnored参数中的每个url要求进行身份验证,这在设计上更安全。
Below configuration is sufficient for the feature you required. 以下配置足以满足您所需的功能。
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${auth.ignored}")
private String[] allIgnored;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(allIgnored).permitAll()
.anyRequest().authenticated()
.and()
.httpBasic();
}
}
Note that since antMatchers() requires String[] , you don't need to iterate the loop yourself. 请注意,由于antMatchers()需要String[] ,因此您无需自己迭代循环。
If you still want to configure with allAuthenticated you just need to add .antMatchers(allAuthenticated).authenticated() to the configuration. 如果仍要使用allAuthenticated进行配置, allAuthenticated只需将.antMatchers(allAuthenticated).authenticated()到配置中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.