堆栈内存溢出
  简体   繁体   English

如何仅为一个特殊路径WebSecurityConfigurerAdapter添加过滤器

[英]How to add a filter only for one special path WebSecurityConfigurerAdapter

 原文  2017-08-22 14:26:45       java/ spring/ web-services/ security/ spring-security

问题描述

We have a configuration which looks like this: 我们有一个如下所示的配置: 

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    public static final String LOGIN_PATH_EXPRESSION = "/login";
    public static final String API_PATH_EXPRESSION = "/api/**/*";
    public static final String GLOBAL_PATH_EXPRESSION = "/**/*";

    @Autowired
    @Qualifier("ssoFilter")
    private Filter ssoFilter;

    @Autowired
    private VerifyingProcessingFilter verifyingProcessingFilter;


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .userDetailsService(username -> new User(username, "", Collections.emptyList()))
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
                .antMatchers(LOGIN_PATH_EXPRESSION)
                .authenticated()
                .and()
                .httpBasic()
                .and()
                .authenticationProvider(new SimpleAuthenticationProvider())
            .authorizeRequests()
                .antMatchers(API_PATH_EXPRESSION).authenticated()
                .and()
                .addFilterBefore(ssoFilter, BasicAuthenticationFilter.class)
                .addFilterAfter(verifyingProcessingFilter, FilteredOAuth2AuthenticationProcessingFilter.class)
            .authorizeRequests()
                .antMatchers(GLOBAL_PATH_EXPRESSION)
                .permitAll()
                .and()
                .csrf()
                .disable();
    }

And recognized that we end inside of the FilteredOAuth2AuthenticationProcessingFilter within a /login call and asked ourself why this is happening. 并且认识到我们在/login调用中结束了FilteredOAuth2AuthenticationProcessingFilter并且问自己为什么会发生这种情况。

The goal is to have the ssoFilter and the verifyingProcessingFilter only applied when hitting an endpoint with the path api/**/* . 目标是仅在使用路径api/**/*命中端点时应用ssoFilterverifyingProcessingFilter

Right now we have to add a AntMatching check inside of the filter so it is only applied to the right request but i assume it should be possible to add it only to the matching requests. 现在我们必须在过滤器内添加一个AntMatching检查,因此它只适用于正确的请求,但我认为应该可以将它只添加到匹配的请求中。

Could someone provide an example on how to add a Filter to one specific Ant Matching path request? 有人可以举例说明如何将Filter添加到一个特定的Ant匹配路径请求中吗?

1 个解决方案

解决方案1
 17 已采纳  2017-08-22 15:50:19

Looks like you can't do that with a single Configuration class. 看起来你不能用一个Configuration类做到这一点。 Take a look at this question: How to apply spring security filter only on secured endpoints? 看一下这个问题: 如何仅在安全端点上应用Spring安全过滤器? .

In this case, I think the better solution is to configure multiple HttpSecurity. 在这种情况下,我认为更好的解决方案是配置多个HttpSecurity。 From Spring IO documentation : Spring IO文档

We can configure multiple HttpSecurity instances just as we can have multiple blocks. 我们可以配置多个HttpSecurity实例,就像我们可以有多个块一样。 The key is to extend the WebSecurityConfigurationAdapter multiple times. 关键是多次扩展WebSecurityConfigurationAdapter。 For example, the following is an example of having a different configuration for URL's that start with /api/. 例如,以下是具有以/ api /开头的URL的不同配置的示例。

The documentation has a full example with the necessary steps to accomplish this: 该文档有一个完整的示例,其中包含完成此操作所需的步骤:

  1. Configure Authentication as normal 正常配置身份验证
  2. Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first. 创建包含@Order的WebSecurityConfigurerAdapter实例,以指定应首先考虑哪个WebSecurityConfigurerAdapter。
  3. The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/ http.antMatcher声明此HttpSecurity仅适用于以/ api /开头的URL
  4. Create another instance of WebSecurityConfigurerAdapter. 创建WebSecurityConfigurerAdapter的另一个实例。 If the URL does not start with /api/ this configuration will be used. 如果URL不以/ api /开头,则将使用此配置。 This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last). 此配置在ApiWebSecurityConfigurationAdapter之后考虑,因为它在1之后具有@Order值(没有@Order默认为last)。

Good luck! 祝好运!

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Security WebSecurityConfigurerAdapter特殊字符 - Spring Security WebSecurityConfigurerAdapter special characters 如何从 WebSecurityConfigurerAdapter 迁移? - How to migrate from WebSecurityConfigurerAdapter? ANT:如何将路径元素从一个路径“添加”到第二个路径? - ANT: How to “add” path elements from one path into a second path? 具有自定义身份验证过滤器的WebSecurityConfigurerAdapter - 依赖性问题 - WebSecurityConfigurerAdapter with custom authentication filter - dependency issue 如何在没有 WebSecurityConfigurerAdapter 的情况下更改 HttpSecurity - How to change HttpSecurity without WebSecurityConfigurerAdapter 如何将弃用的 WebSecurityConfigurerAdapter 迁移到 SecurityFilterChain? - How to migrate deprecated WebSecurityConfigurerAdapter to SecurityFilterChain? 是否可以有2个UserDetailsS​​ervice(每个WebSecurityConfigurerAdapter一个)? - Is it possible to have 2 UserDetailsService (one for each WebSecurityConfigurerAdapter)? 如何筛选休眠搜索结果以仅包含排序期间具有特殊字段值的对象之后的对象? - How to filter Hibernate Search results to include only that objects which are after object with special field value during sort? 如何仅向一行添加空格 - How to add a space to only one line 如何仅添加一个数据? - how can add only one data?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM