[英]How to use Spring HttpSecurity without formLogin
I have SecurityConfig like: 我有这样的SecurityConfig:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthProviderByIP authProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
{
auth.authenticationProvider(authProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/public").permitAll()
.antMatchers("/private").hasRole("ADMIN")
.antMatchers("/**").permitAll();
}
}
And AuthProviderByIP like this: 和AuthProviderByIP像这样:
@Component
public class AuthProviderByIP implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
// making own Authentication object
}
@Override
public boolean supports(Class<?> aClass) {
return true;
}
} }
And when I'm trying to get /public resource it works fine But when trying to get /private resource it just return forbidden page. 当我尝试获取/ public资源时,它工作正常,但是当尝试获取/ private资源时,它仅返回禁止页面。 I checked it with debug and authenticate(...) method is not even invoked. 我用debug检查过它,甚至没有调用authenticate(...)方法。
When googling there is only HttpSecurity configuring with .formLogin().and().httpBasic() 谷歌搜索时只有HttpSecurity配置.formLogin()。and()。httpBasic()
But I need not formLogin right now. 但是我现在不需要formLogin。 How to configure it without formLogin? 如何不使用formLogin进行配置?
Spring Security stores the Authentication
object in SecurityContextHolder
. Spring Security将Authentication
对象存储在SecurityContextHolder
。 Set it manuallly, if you don't want a form login or a Basic authentication. 如果您不希望表单登录或基本身份验证,请手动进行设置。 From the docs : 从文档 :
Authentication request = new UsernamePasswordAuthenticationToken(name, password);
Authentication result = authenticationManager.authenticate(request);
SecurityContextHolder.getContext().setAuthentication(result);
You can disable Form-Login and Basic-Auth in the HttpSecurity configuration: 您可以在HttpSecurity配置中禁用Form-Login和Basic-Auth:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
...
.httpBasic().disable()
.formLogin().disable();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.