您的位置: 首页  >  技术问答  >  如何允许“/ api / **”通过我的基本身份验证配置和我在Spring Security中的oauth配置

如何允许“/ api / **”通过我的基本身份验证配置和我在Spring Security中的oauth配置

分类: 技术问答 2022-03-29 16:06:49

如何允许“/ api / **”通过我的基本身份验证配置和我在Spring Security中的oauth配置

问题描述:

我有一个同时使用Basic Auth和OAuth2的应用。

I have an app that uses both Basic Auth and OAuth2.

某些网址使用基本身份验证授权,/ api / **授权使用OAuth2。

Some URLs are authorized using Basic Auth and "/api/**" is authorized using OAuth2.

目前,我有两个Java配置文件( WebSecurityConfigurerAdapter ResourceServerConfigurerAdapter

Currently, I have two Java config files (WebSecurityConfigurerAdapter and ResourceServerConfigurerAdapter)

每个配置文件定义一个 public void configure(HttpSecurity http)方法。

Each of the config files define a public void configure(HttpSecurity http) method.

我遇到的麻烦是我需要一种优雅的方式来告诉我的应用程序是否在给定网址请求时使用基本身份验证或oauth2。

The trouble I'm having is that I need an elegant way to tell my app whether to use basic auth or oauth2 given the url request.

目前我正在使用 requestMatchers 来实现这一目标:

Currently I'm using requestMatchers to make this happen:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
  @Override
  protected void configure(HttpSecurity http) throws Exception
  {
    http
      .csrf().disable()
    .requestMatchers()
      .antMatchers("/*", "/login/**", "/reviews/**")
    .and()
    .authorizeRequests()
      .antMatchers("/*").permitAll()
      .antMatchers("/js/**").permitAll()
      .antMatchers("/img/**").permitAll()
    .formLogin()
      .loginPage("/login")
      .successHandler(loginSuccessPostHandler)
      .permitAll()
      .and()
    .logout()
      .logoutSuccessUrl("/").permitAll()
      .and()
    .apply(getSpringSocialConfigurer());
  }
}

@Configuration
public class OAuth2ServerConfig
{
  @Configuration
  @EnableResourceServer
  protected static class Oauth2ServerConfig extends ResourceServerConfigurerAdapter
  {
    @Override
    public void configure(HttpSecurity http) throws Exception
    {
      http.httpBasic().disable();
      http.csrf().disable();

      http.requestMatchers()
        .antMatchers("/api/**")
        .and()
      .authorizeRequests()
        .antMatchers("/api/v1/**").access("#oauth2.hasScope('read')");  
    }
  }
}

问题在于每一次我添加了一个不是/ api / **的新网址,我需要将它添加到我的 WebSecurityConfig 的requestMatcher部分......这可能会导致愚蠢未来的错误。

The problem is that every time I add a new URL that's NOT "/api/**", I'll need to add it into my WebSecurityConfig's requestMatcher section... this could lead to silly bugs in the future.

有没有办法根据负前瞻正则表达式进行requestMatcher搜索?我尝试使用正则表达式: ^(?!/ api)但是因为它实际上没有返回MATCH而只返回find == true,所以它没有好像完成了工作。

Is there a way to have a requestMatcher search based on a negative lookahead regex? I tried this using the regex: ^(?!/api) but since it doesn't actually return a MATCH and only returns a "find == true", it doesn't seem to get the job done.

有什么想法/建议吗?

您可以使用 NegatedRequestMatcher


RequestMatcher将否定传入的RequestMatcher。例如,如果传入的RequestMatcher返回true,NegatedRequestMatcher将返回false。如果传入的RequestMatcher返回false,则NegatedRequestMatcher将返回true。

A RequestMatcher that will negate the RequestMatcher passed in. For example, if the RequestMatcher passed in returns true, NegatedRequestMatcher will return false. If the RequestMatcher passed in returns false, NegatedRequestMatcher will return true.

相关推荐