在 Spring Boot 中使用多个 WebSecurityConfigurerAdapter
我有 2 个扩展 WebSecurityConfigurerAdapter 的类.并且无法让它们协同工作.
I'm having 2 classes which extends WebSecurityConfigurerAdapter. And can't make them work together.
思路如下:
- 有一个
WebSecurityConfigurerAdapter,它只向安全链添加自定义过滤器.过滤器执行一些自定义身份验证并将Authentication保存到SecurityContext中.这通常工作正常.配置如下(省略导入):
- Have one
WebSecurityConfigurerAdapterwhich only adds custom filter to security chain. The filter does some custom authentication and savesAuthenticationintoSecurityContext. This generally works fine. Configured as follows (imports omitted):
@Order(1)
@Configuration
@EnableWebMvcSecurity
public class BestSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private BestPreAuthenticationFilter ssoAuthenticationFilter;
@Bean
protected FilterRegistrationBean getSSOAuthenticationFilter() {
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean(ssoAuthenticationFilter);
// Avoid include to the default chain
filterRegistrationBean.setEnabled(false);
return filterRegistrationBean;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterAfter(ssoAuthenticationFilter, SecurityContextPersistenceFilter.class);
}
@Configuration
protected static class AuthenticationConfiguration extends
GlobalAuthenticationConfigurerAdapter {
@Autowired
private BestAuthenticationProvider authenticationProvider;
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
}
}
- 我希望以上是一种任何人都可以通过
@ComponentScan包含的库类,并对自定义身份验证进行排序.显然他们想提供自定义的HttpSecurity来保护 edpoint.尝试类似:
- I want the above to be kind of library class which anyone can include via
@ComponentScanand get the custom authentication sorted. Obviously they want to provide customHttpSecurityto secure edpoints. Trying something like:
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/testUrl").hasRole("NON_EXISTING")
.anyRequest().authenticated();
}
}
显然测试 URL 不应该被访问,因为我的用户不是角色 NON_EXISTING 的成员.不幸的是,她是.
Obviously the test URL should not be accessible as my user is not member of role NON_EXISTING. Unfortunatelly she is.
如果我将安全 authorizeRequests() 部分移动到配置类表单 1. 旁边添加安全过滤器,那么它会按预期阻止访问.但就我而言,似乎忽略了第二个配置.
If I move the security authorizeRequests() part to the configuration class form 1. next to adding the security filter then it blocks the access as expected. But in my case it looks like the second configuration is ignored.
我还调试了 configure() 方法并注意到 HttpSecurity 不是同一个对象,有点臭.
I also debugged the configure() methods and noticed that HttpSecurity is not the same object which smells a bit.
关于如何使这项工作非常受欢迎的任何提示.
Any tips how can I make this work much appreciated.
目标总结:
- 有一个
WebSecurityConfigurerAdapter,它添加过滤器并对 库的用户隐藏 - 让用户定义自己的自定义端点安全
Spring Boot 1.1.6-RELEASE
Spring boot 1.1.6-RELEASE
定义一个特殊的接口
public interface ServiceWebSecurityConfigurer {
void configure(HttpSecurity http) throws Exception;
}
然后只有一个配置器适配器:
Then have just one ConfigurerAdapter:
public class MyConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Autowired(required = false)
ServiceWebSecurityConfigurer serviceSecConfig;
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests(). // whatever
if (serviceSecConfig != null) serviceSecConfig.configure(http);
http.authorizeRequests(). // whatever
}
}
然后在需要时在其他地方实现 ServiceWebSecurityConfigurer.也可以有多个实现,只需将它们自动装配为列表并在您的主要配置中迭代和使用它们.
and then just implement ServiceWebSecurityConfigurer elsewhere when needed. There can be multiple implementations as well, just autowire them as list and iterate and use them all in your main configuration.