Spring Security多入口
官方為了方便演示使用的是一個主類,兩個內部類來實現的多入口,下面的例子將其拆分為兩個配置類,兩個用戶方便理解.
配置
@Configuration public class FormSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public static PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Override protected void configure(HttpSecurity http) throws Exception { http.cors().disable() .csrf().disable() .authorizeRequests().antMatchers("/form/**") .hasRole("USER") .and() .formLogin().successForwardUrl("/form/index"); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user") .password(passwordEncoder().encode("user")) .roles("USER"); } }
說明:
- 上面的配置為系統指定了user為默認用戶,擁有USER權限,
- 指定以form起始的路徑需要校驗USER權限
- 增加formLogin,指定/form/index為登陸成功指向的頁面
@Order(1) @Configuration public class BasicSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private PasswordEncoder passwordEncoder; @Override protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/basic/**") .authorizeRequests().anyRequest() .hasRole("BASIC") .and() .httpBasic(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("basic") .password(passwordEncoder.encode("basic")) .roles("BASIC"); } }
說明:
- 使用@Order(1)指定了加載順序
- 上面的配置為系統指定了basic為默認用戶,擁有BASIC權限,
- 指定以basic起始的路徑需要校驗BASIC權限
- 增加httpBasic驗證
注意事項
- HttpSecurity配置以authorizeRequests為起始表示針對所有請求路徑
- HttpSecurity配置以antMatcher("/basic/**")為新增一個入口
- FormSecurityConfig 未寫@Order繼承WebSecurityConfigurerAdapter中註解序號為100
- 由於formLogin會增加默認登陸頁過濾器/login所以不能使用其它路徑作為起始,否則會導致默認登錄頁不生效
- 如果authorizeRequests加載順序靠前會導致後續配置的antMatcher對應的路徑失效.
相關代碼
https://gitee.com/MeiJM/spring-cram/tree/master/customSecurity
參考資料
https://docs.spring.io/spring-security/site/docs/5.4.1/reference/html5/#multiple-httpsecurity
https://www.baeldung.com/spring-security-multiple-entry-points
https://github.com/spring-projects/spring-security/issues/5593