stackoom
  简体   繁体   中英

SpringBoot basic auth ignore URLs ending with .wsdl

 原文  2017-03-17 05:00:01       java/ spring-boot/ basic-authentication

Question

I'm using basicAuth in my spring boot project.

There is a requirement that service URLs should be authenticated, while on WSDL, there should be no authentication.

I want to maintain all the authenticated & ignored URLs in application.yml file.

Something like: 

auth.authenticated: /onlineshop/v1/ecart,/onlineshop/v1/wishlist
auth.ignored: /onlineshop/v1/ecart.wsdl,/onlineshop/v1/wishlist.wsdl


@EnableWebSecurity
@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${auth.authenticated}")
    String[] allAuthenticated;

    @Value("${auth.ignored}")
    String[] allIgnored;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // Something like
        for (String ignored: allIgnored) {
            http.authorizeRequests().antMatchers(ignored).permitAll();
        }

        // Something like
        for (String authenticated: allAuthenticated) {
            http.authorizeRequests().antMatchers(authenticated).authenticated();
        }
        ....
    }

}

Above code is a rough draft ( sorry for that ), but I've tried coding along these lines but it is not working.

It is not applying any sort of authentication.

Please suggest how can I make this work.

Also, instead of ignoring selective URLs ending .wsdl, how can I ignore all URLs ending with .wsdl

Thank You

1 answers

solution1
 2  2017-03-17 07:07:51

First of all, I believe you should do a whitelisting approach for allowing unauthenticated accesses. Therefore I have removed allAuthenticated parameter and required authentication for every url which is not in allIgnored parameter, which is safer by design.

Below configuration is sufficient for the feature you required. 

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${auth.ignored}")
    private String[] allIgnored;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers(allIgnored).permitAll()
            .anyRequest().authenticated()
            .and()
            .httpBasic();
    }

}

Note that since antMatchers() requires String[] , you don't need to iterate the loop yourself.

If you still want to configure with allAuthenticated you just need to add .antMatchers(allAuthenticated).authenticated() to the configuration.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question springboot - basic ActiveDirectory auth then JWT token How to disable basic http auth for OPTIONS with SpringBoot Security Authenticate a Springboot Application against another application using Basic Auth spring BOOT: basic auth only for some urls and db auth for others in spring BOOT SpringBoot JmsListener: Ignore TypeId Cors Auth SpringBoot Spring Security oauth and turn off security for some urls but keep basic auth activated WSDL Client Auth and Multiple Certs springboot won't generate classes from wsdl Basic Springboot app throws NullPointerException
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM