[英]Multiple WebSecurityConfigurerAdapters: JWT authentication and form login in spring security
我有 spring 啟動應用程序和 thymeleaf。 我正在使用 spring 安全 formLogin 方法來確保安全,現在我需要為一些 API 添加 JWT。
@EnableWebSecurity
public class SecurityConfigurations {
@Autowired
UserDetailsServiceImpl userDetails;
@Bean
DaoAuthenticationProvider provider() {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setPasswordEncoder(encoder());
provider.setUserDetailsService(userDetails);
return provider;
}
@Bean
PasswordEncoder encoder() {
return new BCryptPasswordEncoder();
}
@Configuration
@Order(1)
public class JWTSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
@Autowired
private JwtRequestFilter jwtRequestFilter;
@Autowired
DaoAuthenticationProvider provider;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(provider);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.csrf().disable()
.authorizeRequests().antMatchers("/api/user/authenticate").permitAll()
.antMatchers("/api/user/**").hasRole("USER")
.and().
exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// Add a filter to validate the tokens with every request
httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
}
@Configuration
public static class FormLoginConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Autowired
DaoAuthenticationProvider provider;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(provider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/admin/admins**").hasAnyRole("SADMIN").antMatchers("/admin/**")
.hasAnyRole("ADMIN", "SADMIN", "WADMIN").antMatchers("/rest/**")
.hasAnyRole("ADMIN", "SADMIN", "WADMIN", "USER").antMatchers("/user/**").hasAnyRole("USER")
.anyRequest().permitAll().and().formLogin().loginPage("/sign-in-up")
.loginProcessingUrl("/signInProcess").usernameParameter("phone").and().logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/")
.invalidateHttpSession(false).and().csrf().disable().cors();
}
}
}
通過這樣做 JWT 工作正常,正如我所需要的,但 formlogin 已停止並調用“/signInProcess”現在給出 404:
注意:如果我更改訂單並使 formLogin @order(1) 它再次工作,但當然不會工作。
我也嘗試像這樣將它們結合起來,但它們都可以正常工作,但是如果 JWT 身份驗證錯誤將返回 formlogin thymeleaf 錯誤頁面,則會出現異常處理問題:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/admin/admins**").hasAnyRole("SADMIN").antMatchers("/admin/**")
.hasAnyRole("ADMIN", "SADMIN", "WADMIN").antMatchers("/rest/**")
.hasAnyRole("ADMIN", "SADMIN", "WADMIN", "USER").antMatchers("/user/**").hasAnyRole("USER")
.antMatchers("/api/user/authenticate").permitAll()
.antMatchers("/api/user/**").hasRole("USER")
.anyRequest().permitAll().and().formLogin().loginPage("/sign-in-up")
.loginProcessingUrl("/signInProcess").usernameParameter("phone").and().logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/")
.invalidateHttpSession(false).and().csrf().disable().cors();
http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
任何使這項工作的建議。 謝謝你。
您的WebSecurityConfigurerAdapters將按順序處理傳入的請求。
由於JWTSecurityConfig使用@Order(1)注釋,它將首先處理請求。
您沒有為此適配器指定antMatcher ,因此它將匹配所有請求。
這意味着請求永遠不會到達FormLoginConfigurationAdapter ,因為JWTSecurityConfig匹配它們。
如果您希望JWTSecurityConfig僅適用於某些請求,您可以在您的安全配置中指定一個antMatcher 。
下面是一個例子:
@EnableWebSecurity
public class SecurityConfigurations {
@Configuration
@Order(1)
public class JWTSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers(matchers -> matchers
.antMatchers("/api/**") // apply JWTSecurityConfig to requests matching "/api/**"
)
.authorizeRequests(authz -> authz
.anyRequest().authenticated()
)
.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
}
@Configuration
public class FormLoginConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authz -> authz
.anyRequest().authenticated()
)
.formLogin();
}
}
}
有關多個WebSecurityConfigurerAdapter的更多詳細信息,您可以查看 Spring 安全參考文檔中的多個HttpSecurity部分。
有關authorizeRequests()和requestMatchers()之間區別的更多詳細信息,您可以查看此 Stack Overflow 問題。
Spring Security 3.2.1 具有不同 WebSecurityConfigurerAdapters 的多個登錄表單
[英]Spring Security 3.2.1 Multiple login forms with distinct WebSecurityConfigurerAdapters
在 Spring Security UsernamePasswordAuthenticationFilter JWT 認證中設置自定義登錄 url
[英]Set custom login url in Spring Security UsernamePasswordAuthenticationFilter JWT authentication
具有Spring Security的雙重身份驗證(帶有表單登錄和請求)
[英]Double authentication with spring security (with form-login and request)
Spring Security LDAP 認證用戶名和密碼來自登錄表單
[英]Spring Security Ldap authentication userDn and password from login form
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.