我正在构建一个需要处理两种类型身份验证的应用程序,所以我这样做了
@Autowired
UserService userService;
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
// Md5PasswordEncoder encoder = new Md5PasswordEncoder();
auth.userDetailsService(userDetailsService());// .passwordEncoder(encoder);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/api/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')").and().formLogin()
.loginPage("/login").usernameParameter("username").passwordParameter("password").and()
.exceptionHandling().accessDeniedPage("/access_denied").and().csrf().disable();
}
@Override
protected UserDetailsService userDetailsService() {
return (UserDetailsService) userService;
}
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
@Order(Ordered.LOWEST_PRECEDENCE)
public static class ApiSecurityConfiguration extends WebSecurityConfigurerAdapter {
AuthenticationTokenFilter authenticationTokenFilter;
@Autowired
CustomAuthenticationEntryPoint customAuthenticationEntryPoint;
@Autowired
TokenUtils tokenUtils;
@Override
protected void configure(HttpSecurity http) throws Exception {
authenticationTokenFilter = new AuthenticationTokenFilter(authenticationManager(), tokenUtils);
http.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()//.antMatchers("/api/authenticate", "/admin/**").permitAll()
.antMatchers("/api/**").authenticated().and()
.addFilterBefore(authenticationTokenFilter, AnonymousAuthenticationFilter.class).httpBasic()
.authenticationEntryPoint(customAuthenticationEntryPoint);
}
}
如果我使用 @Order(Ordered.HIGHEST_PRECEDENCE) ApiSecurityConfiguration 完美运行并且第一个配置被错过,
如果我将它切换到 @Order(Ordered.LOWEST_PRECEDENCE),第一个完美运行并且 ApiSecurityConfiguration 被遗漏,甚至添加的过滤器也不再激活,我认为它们会相互冲突并且禁用另一个,有什么建议吗?
最佳答案
您必须更改两种配置的 antMatcher,我的意思是在两种配置中 antMatcher url 必须是唯一的。如果你写了不同的 antMatcher urls 那么你的问题应该得到解决
关于spring-security - 多个 WebSecurityConfigurerAdapter 冲突问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35134032/