1. 首页
  2. 问答
  3. 结合春季HTTP基本认证和访问令牌

结合春季HTTP基本认证和访问令牌

2015-09-16 69 views
4

如何结合使用Spring HTTP基本认证和访问令牌两者同时工作?在我的情况下,只有订单(1)的配置确实有效。结合春季HTTP基本认证和访问令牌

我希望只有拥有令牌的用户才能访问所有*/api **/*,只有登录用户才能访问*/web **/*。

WebSecurityConfig.java

@Configuration 
@EnableWebMvcSecurity 
@Order(1) 
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 

    @Autowired 
    private UserDetailsService userDetailsService; 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http.authorizeRequests().antMatchers("/web/**", "/gopr").authenticated().and().authorizeRequests() 
.and() 
       .formLogin().loginPage("/login").permitAll() 
       .defaultSuccessUrl("/gopr", true).permitAll().and().logout().logoutSuccessUrl("/login").permitAll(); 
    } 

    @Autowired 
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { 
     auth.userDetailsService(userDetailsService); 
    } 
}

Application.java

@SpringBootApplication 
@EnableResourceServer 
@Order(2) 
public class Application { 

    public static void main(String[] args) { 
     SpringApplication.run(Application.class, args); 

    } 

    @Configuration 
    @EnableAuthorizationServer 
    protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter { 

     @Autowired 
     private AuthenticationManager authenticationManager; 

     @Override 
     public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { 
      endpoints.authenticationManager(authenticationManager); 
     } 

     @Override 
     public void configure(ClientDetailsServiceConfigurer clients) throws Exception { 
      // @formatter:off 
      clients.inMemory() 
       .withClient("my-trusted-client") 
        .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit", "client_credentials") 
        .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT") 
        .scopes("read", "write", "trust") 
        .resourceIds("oauth2-resource") 
        .secret("password") 
        .accessTokenValiditySeconds(600); 
     // @formatter:on 
     } 
    } 

    @Configuration 
    @EnableResourceServer 
    protected static class ResourceServer extends ResourceServerConfigurerAdapter { 

     @Override 
     public void configure(HttpSecurity http) throws Exception { 
      http.authorizeRequests().antMatchers("/web/**", "/login", "/index", "/").permitAll() 
        .antMatchers("/api/**").authenticated(); 
      /* antMatchers("/web/**", "/gopr").permitAll().antMatchers("/api/**").authenticated(); */ 
     } 
    } 
}

来源

2015-09-16 Pavlo Zvarych

回答

4

始终使用 'requestMatchers()' 创建安全过滤器时。这样,当创建多个过滤器链时,只有第一个过滤器链将不会被使用。

同时修改你的WebSecurityConfig.java为:

@Configuration 
    @EnableWebMvcSecurity 
    @Order(1) 
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 
    ... 
     @Override 
     protected void configure(HttpSecurity http) throws Exception { 
      http 
       .requestMatchers().antMatchers("/web/**", "/gopr") 
       .and() 
       .authorizeRequests().antMatchers("/web/**", "/gopr").authenticated(). 
       .and() 
        .formLogin().loginPage("/login").permitAll() 
        .defaultSuccessUrl("/gopr", true).permitAll().and().logout().logoutSuccessUrl("/login").permitAll(); 
     } 
     ... 
    }

和你ResourceServer内部类为:

@Configuration 
    @EnableResourceServer 
    protected static class ResourceServer extends 
      ResourceServerConfigurerAdapter { 

     ... 
     @Override 
     public void configure(HttpSecurity http) throws Exception { 
      http 
        .requestMatchers().antMatchers("/api/**").and() 
        .authorizeRequests().antMatchers("/api/**").authenticated(); 
     } 


    }

参考:https://github.com/royclarkson/spring-rest-service-oauth/issues/11

来源

2015-10-09 15:39:30

相关问题

 相关问题