java - 在 Maven 依赖项中重写时重写 Spring Security 配置(HttpSecurity)

Question

我有一个带有 Spring Security 的 Maven Spring Boot 2 项目。 maven 依赖项之一扩展了 WebSecurityConfigurerAdapter。例如，

public class MyConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.exceptionHandling()
                .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))
                .and()
                .csrf()
                .and()
                .formLogin()
                .permitAll()
                .successHandler(myLoginHandler)
                .failureHandler(formAuthFailureHandler)
                .and()
                .logout()
                .permitAll()
                .logoutRequestMatcher(new AntPathRequestMatcher(logoutUrl()))
                .logoutSuccessUrl(logoutSuccessUrl())
                .and()
                .authorizeRequests()
                .antMatchers(publicRoutes())
                .permitAll()
                .antMatchers(HttpMethod.POST).authenticated()
                .antMatchers(HttpMethod.PUT).authenticated()
                .antMatchers(HttpMethod.PATCH).authenticated()
                .antMatchers(HttpMethod.DELETE).denyAll()
                .anyRequest()
                .authenticated();
    }
}

问题是在这个应用程序中，我需要重写 successHandler() 并添加一个注销处理程序，如 logout().addLogoutHandler(myLogoutHandler)。

是否可以只更新这些位，或者我需要再次定义整个链？也许是这样的，

public class AnotherConfig extends MyConfig {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.exceptionHandling()
                .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))
                .and()
                .csrf()
                .and()
                .formLogin()
                .permitAll()
                .successHandler(myLoginHandler)
                .failureHandler(formAuthFailureHandler)
                .and()
                .logout()
                .addLogoutHandler(myLogoutHandler)
                .permitAll()
                .logoutRequestMatcher(new AntPathRequestMatcher(logoutUrl()))
                .logoutSuccessUrl(logoutSuccessUrl())
                .and()
                .authorizeRequests()
                .antMatchers(publicRoutes())
                .permitAll()
                .antMatchers(HttpMethod.POST).authenticated()
                .antMatchers(HttpMethod.PUT).authenticated()
                .antMatchers(HttpMethod.PATCH).authenticated()
                .antMatchers(HttpMethod.DELETE).denyAll()
                .anyRequest()
                .authenticated();
    }
}

我希望在某个地方可能有一个用于这两个值的 setter 。

谢谢

Answer 1

您需要将覆盖的顺序设置为高于被覆盖的顺序。

@Order(Ordered.LOWEST_PRECEDENCE - 1)
public class AnotherConfig extends MyConfig {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.exceptionHandling()
                .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))
                .and()
                .csrf()
                .and()
                .formLogin()
                .permitAll()
                .successHandler(myLoginHandler)
                .failureHandler(formAuthFailureHandler)
                .and()
                .logout()
                .addLogoutHandler(myLogoutHandler)
                .permitAll()
                .logoutRequestMatcher(new AntPathRequestMatcher(logoutUrl()))
                .logoutSuccessUrl(logoutSuccessUrl())
                .and()
                .authorizeRequests()
                .antMatchers(publicRoutes())
                .permitAll()
                .antMatchers(HttpMethod.POST).authenticated()
                .antMatchers(HttpMethod.PUT).authenticated()
                .antMatchers(HttpMethod.PATCH).authenticated()
                .antMatchers(HttpMethod.DELETE).denyAll()
                .anyRequest()
                .authenticated();
    }
}

为什么Ordered.LOWEST_PRECEDENCE - 1？
因为默认顺序是为重写类设置的 Ordered.LOWEST_PRECEDENCE 。

或者您可以将其设置为覆盖的特定数字。