用于Web的RESTFul和FormLogin（Cookies）的Spring Security HTTP Basic

In Specific

我想只为特定的URL模式进行HTTP基本身份验证 .

In Detail

我正在为我的应用程序创建一个API接口，需要通过简单的HTTP基本身份验证进行身份验证 . 但是其他网页应该使用HTTP basic，而不是普通的表单登录 .

Current Configuration - NOT Working

@Override
protected void configure(HttpSecurity http) throws Exception {
    http //HTTP Security
            .csrf().disable() //Disable CSRF
            .authorizeRequests() //Authorize Request Configuration
                .antMatchers("/connect/**").permitAll()
                .antMatchers("/", "/register").permitAll()
                .antMatchers("/admin/**").hasRole("ADMIN")
                .antMatchers("/api/**").hasRole("API")
                .anyRequest().authenticated()
            .and() //HTTP basic Authentication only for API
                .antMatcher("/api/**").httpBasic()
           .and() //Login Form configuration for all others
                .formLogin().loginPage("/login").permitAll()
            .and() //Logout Form configuration
                .logout().permitAll();

}

2 回答

等了2天，在这里没有得到任何帮助 . 但我的研究为我提供了解决方案:)

Solution

@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    private AuthenticationProvider authenticationProvider;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authenticationProvider);
    }

    @Configuration
    @Order(1)
    public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable()
                    .antMatcher("/api/**")
                    .authorizeRequests()
                        .anyRequest().hasAnyRole("ADMIN", "API")
                        .and()
                    .httpBasic();
        }
    }

    @Configuration
    @Order(2)
    public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter{

        @Override
        public void configure(WebSecurity web) throws Exception {
            web.ignoring().antMatchers("/css/**", "/js/**", "/img/**", "/lib/**");
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable() //HTTP with Disable CSRF
                    .authorizeRequests() //Authorize Request Configuration
                        .antMatchers("/connect/**").permitAll()
                        .antMatchers("/", "/register").permitAll()
                        .antMatchers("/admin/**").hasRole("ADMIN")
                        .anyRequest().authenticated()
                        .and() //Login Form configuration for all others
                    .formLogin()
                        .loginPage("/login").permitAll()
                        .and() //Logout Form configuration
                    .logout().permitAll();
        }
    }
}

回复于 2024-05-06T21:49:38+08:00

我不知道它是否有用，但我无法实现上述解决方案 . 我找到了一个定义单个安全性的解决方法

@Configuration类

扩展

WebSecurityConfigurerAdapter

同时配置了httpBasic（）和formLogin（） . 然后我创建了一个自定义

CustomAuthEntryPoint实现AuthenticationEntryPoint

在开始方法中有这个逻辑：

@Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException
   {
        String urlContext = UtilityClass.extractUrlContext(request);
        if (!urlContext.equals(API_URL_PREFIX))
        {
            String redirectUrl = "urlOfFormLogin"
            response.sendRedirect(request.getContextPath() + redirectUrl);
       }
        else
        {
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        }

Dunno是关于这个问题的“最佳实践战略”

回复于 2024-05-06T21:49:38+08:00

用于Web的RESTFul和FormLogin（Cookies）的Spring Security HTTP Basic - 注释

2 回答

相关问题