I have some local services mapped to same base url part. This services for users should be closed, but one of its is used by ZooKeeper and should be open. So i configured:
@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("us").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/inner/service/**").hasRole("USER")
.and().antMatcher("/inner/service/event/bus").csrf().disable().anonymous()
.and().formLogin().and().logout().and().httpBasic();
}
}
this configuration does not works. i have open service not only for events. Each of services is open. If i change configuration to:
@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("us").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/inner/service/**").hasRole("USER")
.and().formLogin().and().logout().and().httpBasic();
}
}
All services are closed than.
Is it possible to configure anonymous requests everywhere
"/**"
authenticated services by path
"/inner/service/**"
with open one
"/inner/service/event/bus"
?
PS Open service is used for ZooKeeper response.
solution is:
move to other path (to provide uncrossed passes)
"/inner/service/event/bus" // for example "/inner/event/bus"
change http security configuration:
@Override protected void configure(HttpSecurity http) throws Exception { // to ignore csrf filter for zookeeper client api http.csrf().ignoringAntMatchers("/inner/event/bus"); // configure the HttpSecurity http.antMatcher("/inner/service/**").authorizeRequests() // configure open resources. this configuration can be missed because of root level security (see line before) .antMatchers("/", "/index.html", "/inner/event/bus", "view.html").permitAll() // configure role for specified api .antMatchers("/inner/service/**").hasRole("USER") // to use default login and logout api .and().formLogin().and().logout().logoutSuccessUrl("/").and().httpBasic(); }
this solution works also if i remove one instruction:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().ignoringAntMatchers("/inner/event/bus");
http.antMatcher("/inner/service/**").authorizeRequests()
.antMatchers("/inner/service/**").hasRole("USER")
.and().formLogin().and().logout().logoutSuccessUrl("/").and().httpBasic();
}
And one more important point ( i think important ). I have removed from my *.yml files all security customization.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.