stackoom
  简体   繁体   中英

Spring Security : Multiple HTTP Config not working

 原文  2015-11-09 05:43:45       java/ spring/ security/ spring-mvc/ spring-security

Question

I am trying to use Spring Security and I have a use case where I want different login pages and different set of URLs to be secured.

Here is my configuration:

@Configuration
@Order(1)
public static class ProviderSecurity extends WebSecurityConfigurerAdapter{
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .antMatchers("/admin/login").permitAll()
                .antMatchers("/admin/**").access("hasRole('BASE_USER')")
                .and()
            .formLogin()
                .loginPage("/admin/login").permitAll()
                .defaultSuccessUrl("/admin/home")
                .failureUrl("/admin/login?error=true").permitAll()
                .usernameParameter("username")
                .passwordParameter("password")
                .and()
            .csrf()                    
                .and()
            .exceptionHandling().accessDeniedPage("/Access_Denied");            
    }
}


@Configuration
@Order(2)
public static class ConsumerSecurity extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/consumer/login").permitAll()
                .antMatchers("/consumer/**").access("hasRole('BASE_USER')")
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/consumer/login").permitAll()
                .defaultSuccessUrl("/consumer/home")
                .failureUrl("/consumer/login?error=true").permitAll()
                .usernameParameter("username")
                .passwordParameter("password")
                .and().csrf()                
                .and()
            .exceptionHandling().accessDeniedPage("/Access_Denied");
    }
}

These classes are inner classes of another class MultipleHttpSecurityConfig that has annotation @EnableWebSecurity .

The security for admin/** is working fine, but none of the consumer/** pages are secured, no redirection is happening for login page. I've searched for other answers but none worked.

2 answers

solution1
 32  2015-11-09 11:49:07

Look at the Spring Security Reference :

 @EnableWebSecurity public class MultiHttpSecurityConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { 1 auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER").and() .withUser("admin").password("password").roles("USER", "ADMIN"); } @Configuration @Order(1) 2 public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/api/**") 3 .authorizeRequests() .anyRequest().hasRole("ADMIN") .and() .httpBasic(); } } @Configuration 4 public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin(); } } }

1 Configure Authentication as normal

2 Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.

3 The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/

4 Create another instance of WebSecurityConfigurerAdapter . If the URL does not start with /api/ this configuration will be used. This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).

Your second configuration is not used, because your first configuration matches /** (no antMatcher configured). And your first configuration restricts only /admin/** , all other URLs are permitted by default.

solution2
 23  2016-05-23 02:52:33

Your first WebSecurityConfigurerAdapter 's

http
            .authorizeRequests()

matches all the URLs, limit it to only URLs start with /admin by using antMatcher :

@Configuration
@Order(1)
public static class ProviderSecurity extends WebSecurityConfigurerAdapter{
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/admin/**")
                .authorizeRequests()
                .antMatchers("/admin/login").permitAll()
                .antMatchers("/admin/**").access("hasRole('BASE_USER')")
                .and()

                ...

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Creating multiple HTTP sections in Spring Security Java Config Spring config server security encryption and decryption not working Spring security - Custom AuthenticationProvider not working - Java Config spring security java config - multiple authentication manager Spring Security, Method Security annotation (@Secured ) is not working (java config) Spring Boot Security Multi Http with OAuth not working Custom HTTP 403 page not working in Spring Security Spring boot security with http port 80 not working Http basic authentication not working in Spring Security Spring Security ignoring multiple HTTP configurations
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM