![](/img/trans.png)
[英]Use RequestHeaderRequestMatcher and antmactcher basic auth in the same configuration Spring Security
[英]HTTP Basic with Spring Security XML configuration doesn't use HttpBasicConfigurer
關於HTTP基本配置,似乎XML配置和Java在Spring Security中執行的任務不同。
使用以下Java配置時:
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.and()
.authorizeRequests()
.anyRequest().authenticated();
}
當請求HTTP標頭X-Requested-With
為XMLHttpRequest
時,將使用HttpBasicConfigurer
以便使用其他EntryPoint。
使用配置時
<s:http use-expressions="true" create-session="ifRequired">
<s:intercept-url pattern='/**' access='isAuthenticated()' />
<s:http-basic />
<s:http />
不使用HTTPBassicConfigurer
。
有人知道如何使用XML配置添加它嗎?
根據本文中人們提供的意見,最終的解決方案是無法將HTTPBasicConfigurer
與XML配置一起使用。 但是還有其他方法可以執行與HTTPBasicConfigurer
現在實現的幾乎相同的HTTPBasicConfigurer
。 我最終使用的解決方案主要基於Lea提供的意見:
<s:http use-expressions="true" create-session="ifRequired" >
<s:intercept-url pattern='/**' access='isAuthenticated()' />
<s:http-basic entry-point-ref="entryPoint" />
</s:http>
<bean id="entryPoint"
class="org.springframework.security.web.authentication
.DelegatingAuthenticationEntryPoint">
<constructor-arg>
<map>
<entry key="hasHeader('X-Requested-With','XMLHttpRequest')"
value-ref="ajaxEntyPoint" />
</map>
</constructor-arg>
<property name="defaultEntryPoint" ref="defaultEntryPoint"/>
</bean>
<bean id="ajaxEntyPoint"
class="org.springframework.security.web.authentication.HttpStatusEntryPoint">
<constructor-arg name="httpStatus"
value="#{T(org.springframework.http.HttpStatus).UNAUTHORIZED}"/>
</bean>
<bean id="defaultEntryPoint"
class="org.springframework.security.web.authentication.www
.BasicAuthenticationEntryPoint">
<property name="realmName" value="My webservices"/>
</bean>
基本身份驗證參數可以使用基本身份驗證過濾器顯式聲明:
<security:http use-expressions="true" entry-point-ref="entryPoint" authentication-manager-ref="authManager">
<security:custom-filter ref="advancedBasicFilter" position="BASIC_AUTH_FILTER"/>
<security:intercept-url pattern="/info/**" access="permitAll" />
<security:intercept-url pattern="/**" access="isAuthenticated()"/>
</security:http>
<bean id="advancedBasicFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<constructor-arg name="authenticationEntryPoint" ref="entryPoint"/>
<constructor-arg name="authenticationManager" ref="authManager"/>
</bean>
<bean id="entryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="My Realm"/>
</bean>
<security:authentication-manager id="authManager">
<security:authentication-provider user-service-ref="myOwnUserService" />
</security:authentication-manager>
如果將xml config與名稱空間一起使用,則不要使用HTTPBasicConfigurer
,而是使用<http-basic>
標記的屬性。
摘自Spring Security參考手冊附錄關於<http-basic>
標簽的安全名稱空間:
屬性
authentication-details-source-ref:對將由身份驗證過濾器使用的AuthenticationDetailsSource
引用
entry-point-ref設置由BasicAuthenticationFilter使用的AuthenticationEntryPoint
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.