Spring 引导 3 多个安全过滤器链不起作用

Question

I am using Spring Boot 3.0.1.我正在使用 Spring Boot 3.0.1。 In my WebSecurityConfig class, I want to filter 2 types of api urls.在我的 WebSecurityConfig class 中，我想过滤 2 种类型的 api url。 So I have 2 SecurityFilterChains.所以我有 2 个 SecurityFilterChain。 This is what I want to achieve.这就是我想要实现的。

1.) Login api: This one, I want to permit this url and save the session id to the database using Spring Sessions.
2.) Other white apis: I want to permit some urls without any security/session checks
3.) Any other api calls need to have the x-auth-token

The following code has only 1 SecurityFilterChain and it works perfectly fine to satisfy all the above 1,2,3 points.下面的代码只有 1 个 SecurityFilterChain，它可以完美地满足上述所有 1、2、3 点。 For 1, it will create the session id in the spring_session table with the login user as the principal_name.对于 1，它会在 spring_session 表中创建 session id，登录用户作为 principal_name。 For 2, it will also create another session id in spring_session table with "client" as the principal_name.对于 2，它还会在 spring_session 表中创建另一个 session id，并将“client”作为 principal_name。 I do not want to create a session id for 2. I only want to create session id when I call the 1 (login api).我不想为 2 创建 session id。我只想在调用 1（登录 api）时创建 session id。 So I believe that I have to write 2 Filter chains.所以我认为我必须编写 2 个过滤器链。 First one only for login api and create session id, second one for all the white apis to go through with out security/session checks.第一个仅用于登录 api 并创建 session id，第二个用于所有白色 api 到 go，通过安全/会话检查。 How do I write 2 security filter chains?如何编写 2 个安全过滤器链？

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class WebSecurityConfig {

    @Autowired
    private RestAuthenticationEntryPoint restAuthenticationEntryPoint;

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private AuthenticationFailureHandler authenticationFailureHandler;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Bean
    public AuthenticationManager authenticationManager(HttpSecurity http)
            throws Exception {
        var daoAC = new DaoAuthenticationConfigurer(userDetailsService);
        daoAC.passwordEncoder(passwordEncoder);
        var builder = http.getSharedObject(AuthenticationManagerBuilder.class);
        builder.apply(daoAC);
        return builder.build();
    }

    private static final String[] AUTH_WHITELIST = {           
            "/api/usermanager/auth/login",
            "/api/usermanager/auth/app-login",
            "/api/usermanager/auth/resetPassword",
            "/api/usermanager/auth/health",
            "/api/usermanager/back-office/login",
            "/actuator/**",
            "/get-user-names",
            "/get-users",
            "/get-user",
            "/api/usermanager/users/activate",
            "/actuator/**",
            "/health/**",
            "/api/usermanager/org",
            "/api/usermanager/org/*/theme",
            "/api/usermanager/image/org/*/all",
            "/api/usermanager/image/org/*/logo.png"
    };

    @Bean   
    public SecurityFilterChain loginFilterChain(HttpSecurity http) throws Exception {
        http
                .csrf().disable().exceptionHandling()
                .authenticationEntryPoint(restAuthenticationEntryPoint)
                .and().securityContext((securityContext) -> securityContext.requireExplicitSave(false))
                .cors()
                .and()
                .httpBasic()
                .and()
                .securityMatcher("/api/**")
                .authorizeHttpRequests(
                        requests -> requests.
                                requestMatchers(AUTH_WHITELIST).permitAll()
                                .anyRequest().authenticated()
                ).httpBasic(withDefaults())
                .sessionManagement(session ->  session.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                        .sessionFixation()
                        .migrateSession()
                        .maximumSessions(1)
                        .expiredUrl("/sessionExpired.html")
                        .maxSessionsPreventsLogin(false));
        return http.build();
    }


    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring().requestMatchers(HttpMethod.GET,
                "/docs/**", "/resources/**", "/static/**", "/img/**");
    }

    @Bean
    public AuthenticationFailureHandler myFailureHandler() {
        return new CustomAuthenticationFailureHandler();
    }

    @Bean
    public HttpSessionIdResolver httpSessionStrategy() {
        return HeaderHttpSessionIdResolver.xAuthToken();
    }

    @Bean
    public HttpSessionIdResolver httpSessionIdResolver() {
        return HeaderHttpSessionIdResolver.xAuthToken();
    }

    @Bean
    public HttpSessionEventPublisher httpSessionEventPublisher() {
        return new HttpSessionEventPublisher();
    }
}

Answer 1

Create more SecurityFilterChain Bean and add @Order(1) and @Order(2) annotations.创建更多 SecurityFilterChain Bean 并添加 @Order(1) 和 @Order(2) 注释。

Check the Spring docs: https://docs.spring.io/spring-security/reference/servlet/architecture.html#servlet-securityfilterchain检查 Spring 文档： https://docs.spring.io/spring-security/reference/servlet/architecture.html#servlet-securityfilterchain

Spring 引导 3 多个安全过滤器链不起作用

问题描述

1 个解决方案

解决方案1
1 2023-01-05 13:15:57

Spring 引导 3 多个安全过滤器链不起作用

问题描述

1 个解决方案

解决方案1 1 2023-01-05 13:15:57

解决方案1
1 2023-01-05 13:15:57