我的目标是在我的 Spring Boot 应用程序中同时使用这两种安全性。我已经用JWT做了API端,但是不知道WEB端的session怎么实现。我已经在另一个项目中这样做了,但我不知道如何让它们一起工作。
这是我的 SecurityConfig :
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().ignoringAntMatchers("/api/**")
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/register").permitAll()
.antMatchers("/api/login").permitAll()
.antMatchers("/api/public").permitAll()
.antMatchers("/api/lost").permitAll()
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/contact").permitAll()
.antMatchers("/resources/**").permitAll()
.antMatchers("/file/**").permitAll()
.anyRequest().authenticated()
.and()
.apply(new JWTConfigurer(this.tokenProvider));
}
我想要这样的东西:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// For API side something like : .match("/api/**")
// No CSRF
.csrf().ignoringAntMatchers("/api/**")
// STATELESS session
// Use token filter
.apply(new JWTConfigurer(this.tokenProvider));
// For WEB side something like : .match "others"
// Use CSRF
.csrf()
// Use session
// And the other permit :
.authorizeRequests()
.antMatchers("/api/register").permitAll()
.antMatchers("/api/login").permitAll()
.antMatchers("/api/public").permitAll()
.antMatchers("/api/lost").permitAll()
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/contact").permitAll()
.antMatchers("/resources/**").permitAll()
.antMatchers("/file/**").permitAll()
.anyRequest().authenticated();
}
谁能告诉我怎么做? (并解释它是如何工作的)。
我还没有找到关于我所问的任何好的解决方案。
最佳答案
经过 6 个小时的搜索,这里是解决方案:
https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#multiple-httpsecurity
编辑:
这是我如何做到的:
@EnableWebSecurity
public class MultiHttpSecurityConfig {
@Autowired
private UserDetailsService userDetailsService;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(12);
}
@Configuration
@Order(1)
public class ApiSecurityAdapter extends WebSecurityConfigurerAdapter {
private TokenProvider tokenProvider;
public ApiSecurityAdapter(TokenProvider tokenProvider) {
this.tokenProvider = tokenProvider;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**") //<= Security only available for /api/**
.authorizeRequests()
.antMatchers("/api/register").permitAll()
.antMatchers("/api/login").permitAll()
.antMatchers("/api/public").permitAll()
.antMatchers("/api/lost").permitAll()
.anyRequest().authenticated()
.and()
.apply(new JWTConfigurer(this.tokenProvider))
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
@Configuration
public class WebSecurityAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http // <= Security available for others (not /api/)
.authorizeRequests()
.antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/resources/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.usernameParameter("email")
.passwordParameter("password")
.defaultSuccessUrl("/central", false)
.failureForwardUrl("/login/fail")
.and()
.logout()
.invalidateHttpSession(true)
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.and()
.csrf();
}
}
}
希望这可以帮助!
关于 Spring 安全 : JWT token for API and session for web,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44970848/