我正在尝试保护 3 个端点。 /test1 带有基本身份验证,/test2、test3 带有 ouath。我正在尝试使用多个 httpsecurity 来做到这一点,就像在许多示例中一样。但这不起作用。
@Configuration
@EnableWebSecurity // (proxyBeanMethods = false)
public class SecurityConfigOauth {
@Bean
@Order(2)
public SecurityFilterChain filterChainOauth(HttpSecurity http) throws Exception {
http.headers().frameOptions().sameOrigin();
http
.csrf().disable()
.oauth2Login( oauth2Login -> {oauth2Login.loginPage("/test1");});
return http.build();
}
@Bean
@Order(1)
public SecurityFilterChain filterChainHTTPBasic(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((authz) -> authz
.requestMatchers("/test2/**", "/test3/**").authenticated()
.anyRequest().permitAll())
.csrf().disable()
.httpBasic(withDefaults());
return http.build();
}
@Bean
DefaultOAuth2AuthorizationRequestResolver pkceResolver(ClientRegistrationRepository clientRegistrationRepository) {
DefaultOAuth2AuthorizationRequestResolver resolver = new
DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository,
OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI);
resolver.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce());
return resolver;
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("test").password("test").roles("first")
.and()
.withUser("test").password("test").roles("second");
}
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
}
我正在尝试使用基本身份验证和 oauth 来保护 3 个端点。
要使用多个 SecurityFilterChain bean,您应该使用方法
HttpSecurity.securityMatcher()
添加过滤器。像这样:
@Order(Ordered.HIGHEST_PRECEDENCE)
@Bean
public SecurityFilterChain filterChainOauth2(HttpSecurity http) throws Exception {
http
.securityMatcher("/test1/**")
.authorizeHttpRequests((authz) -> authz
.anyRequest().authenticated()
)
.oauth2Login((oauth2Login) -> oauth2Login
.userInfoEndpoint((userInfo) -> userInfo
.userAuthoritiesMapper(grantedAuthoritiesMapper())
)
);
return http.build();
}
@Bean
public SecurityFilterChain filterChainDefault(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authz) -> authz
.requestMatchers("/test2/**", "/test3/**").authenticated()
.anyRequest().permitAll()
)
.csrf().disable()
.httpBasic(withDefaults());
return http.build();
}
请注意@Order注解。
但是如果我使用这个代码它几乎可以工作,我可以登录:
@Order(Ordered.HIGHEST_PRECEDENCE)
@Bean
public SecurityFilterChain filterChainOauth(HttpSecurity http) throws Exception {
http
.securityMatcher("/test1/**")
.oauth2Login((oauth2Login) -> oauth2Login
.userInfoEndpoint((userInfo) -> userInfo
.userAuthoritiesMapper(grantedAuthoritiesMapper())
))
.oauth2Login( oauth2Login -> {oauth2Login.loginPage("/test1");});
return http.build();
}
有什么想法吗?