Spring Security Java配置
[英]Spring Security Java Config
問題描述
最近我將Spring配置從XML遷移到Java配置。 它是一個Spring OAuth 2服務器,一些端點使用客戶端身份驗證進行保護,一些端點(confirm_access)使用用戶身份驗證進行保護,用戶身份驗證通過過濾器(“authenticationFilter”)進行重定向委托給登錄應用程序。 但是我無法對Spring Security Java配置做同樣的事情:
這是我工作的安全XML配置:
<sec:http pattern="/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
entry-point-ref="oauthAuthenticationEntryPoint">
<sec:intercept-url pattern="/token" access="IS_AUTHENTICATED_FULLY" />
<sec:anonymous enabled="false" />
<sec:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<sec:custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>
<sec:http pattern="/css/**" security="none" />
<sec:http pattern="/js/**" security="none" />
<sec:http access-denied-page="/errors/access-denied.html" disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint">
<sec:intercept-url pattern="/authorize" access="ROLE_USER" />
<sec:intercept-url pattern="confirm_access" access="ROLE_USER" />
<sec:intercept-url pattern="/device/authorize" access="ROLE_USER" />
<sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<sec:custom-filter ref="authenticationFilter" before="ANONYMOUS_FILTER" />
<sec:anonymous />
</sec:http>
<sec:authentication-manager id="clientAuthenticationManager">
<sec:authentication-provider user-service-ref="clientDetailsUserService" />
</sec:authentication-manager>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="authenticationProvider" />
</sec:authentication-manager>
<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
<sec:expression-handler ref="oauthExpressionHandler" />
</sec:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
這是我的Java配置嘗試:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
@Order(1)
@Import({WebSecurityConfig.TokenEndpointSecurityConfigurationAdapter.class,
WebSecurityConfig.ResourceSecurityConfigurationAdapter.class,
WebSecurityConfig.AnonymousSecurityConfigurationAdapter.class})
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
ClientDetailsUserDetailsService clientDetailsUserService;
@Bean(name = "clientAuthenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void registerAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(clientDetailsUserService);
}
@Configuration
@Order(2)
public static class TokenEndpointSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Autowired
ClientDetailsUserDetailsService clientDetailsUserService;
@Autowired
OAuth2AuthenticationEntryPoint oauthAuthenticationEntryPoint;
@Autowired
ClientCredentialsTokenEndpointFilter clientCredentialsTokenEndpointFilter;
@Autowired
OAuth2AccessDeniedHandler oauthAccessDeniedHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.userDetailsService(clientDetailsUserService)
.anonymous().disable()
.authorizeUrls()
.antMatchers("/token")
.fullyAuthenticated()
.and()
.httpBasic()
.authenticationEntryPoint(oauthAuthenticationEntryPoint)
.and()
.addFilterBefore(clientCredentialsTokenEndpointFilter, BasicAuthenticationFilter.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.stateless)
.and()
.exceptionHandling().accessDeniedHandler(oauthAccessDeniedHandler);
}
}
@Configuration
@Order(3)
public static class ResourceSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter{
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/css/**","/js/**");
}
}
@Configuration
@Order(4)
public static class AnonymousSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter{
@Autowired
OAuth2AuthenticationEntryPoint oauthAuthenticationEntryPoint;
@Autowired
AuthenticationFilter authenticationFilter;
@Autowired
PreAuthenticatedAuthenticationProvider authenticationProvider;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authenticationProvider(authenticationProvider)
.addFilterBefore(authenticationFilter, AnonymousAuthenticationFilter.class)
.authorizeUrls().anyRequest().anonymous()
.and()
.authorizeUrls()
.antMatchers("/authorize","confirm_access","/custom/authorize")
.hasRole("USER")
.and()
.exceptionHandling().accessDeniedPage("/errors/access-denied.html");
}
}
}
使用此配置,Spring Security會嘗試對所有端點的用戶進行身份驗證,並顯示生成登錄表單,因此不會添加自定義篩選器。
我的錯誤在哪里?
1 個解決方案
解決方案1
9 已采納 2013-11-21 20:41:53
由於原始配置僅包含兩個http元素,因此新配置應僅包含兩個WebSecurityConfigurerAdapter實例。 使用http.antMatchers映射每個WebSecurityConfigurerAdapter實例。 目前, WebSecurityConfigurerAdapter映射到每個URL。
您可以參考該參考以獲取如何使用多個WebSecurityConfigurerAdapter實例(相當於) 的示例
帶有Java配置的Spring Security AuthenticationFailureHandler
[英]spring security AuthenticationFailureHandler with java config
Spring Security Java Config未注冊ContextLoaderListener
[英]Spring Security Java Config no ContextLoaderListener registered
Spring 安全性 - 自定義 AuthenticationProvider 不起作用 - Java Config
[英]Spring security - Custom AuthenticationProvider not working - Java Config
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
Spring Security Java配置問題
spring security config xml to java
Spring Security OAuth Java配置
帶有Java配置的Spring Security AuthenticationFailureHandler
使用Vaadin進行Spring安全性的Java配置
Spring Security XML配置與Java配置
基於Java注釋的Spring安全配置
Spring Security Java配置不會攔截
Spring Security Java Config未注冊ContextLoaderListener
Spring 安全性 - 自定義 AuthenticationProvider 不起作用 - Java Config
相關標簽