我想为我的springboot应用程序的路径'/api/'实现http基本身份验证,并为路径'/'和'/admin'实现表单身份验证。
这是我当前的java配置代码,但它不起作用,有什么想法吗? =) 此代码使所有站点都通过 http basic 进行保护,而不仅仅是“/api”。我在 stackoverflow 中发现了一些问题,但它们似乎没有解决我的问题:
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource datasource;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/api/**").authenticated().and()
.httpBasic();
http.authorizeRequests()
.antMatchers("/**").authenticated()
.antMatchers("/admin/**").hasRole("ADMIN")
.and()
.formLogin().loginPage("/login").permitAll()
.defaultSuccessUrl("/inicio");
http.logout().permitAll();
http.csrf().disable();
}
http.csrf().disable();
}
...
我遇到了同样的问题,必须分开基本身份验证和表单身份验证。
@Configuration
@EnableWebSecurity
public class FormSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests() //
.antMatchers("/**").authenticated() //
.antMatchers("/admin/**").hasRole("ADMIN") //
.and() //
.formLogin().loginPage("/login").defaultSuccessUrl("/inicio").permitAll() //
.and() //
.logout();
}
}
@Configuration
@Order(Ordered.HIGHEST_PRECEDENCE)
public class BasicSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.antMatcher("/api/**") //
.authorizeRequests().anyRequest().authenticated() //
.and() //
.httpBasic();
}
}
WebSecurityConfigurerAdapter 现已弃用(Spring Security 6.0 及更高版本) 所以我们可以将上面的代码改写为
@Configuration
@EnableWebSecurity
public class SecurityConfig{
public SecurityFilterChain
filterchain(HttpSecurity http) throws
Exception {
http.authorizeRequests()
.requestMatchers("/**")
.authenticated()
.requestMatchers("/admin/**")
.hasRole("ADMIN")
.formLogin(login ->
login.loginPage("/login")
.defaultSuccessUrl("/inicio")
.permitAll()
.logout();
}
}
@Configuration
@Order(Ordered.HIGHEST_PRECEDENCE)
public class BasicSecurityConfig {
public SecurityFilterchain
filterchain(HttpSecurity http)
throws
Exception {
http.csrf().disable();
http.requestMatcher("/api/**")
.authorizeHttpRequests()
.anyRequest()
.authenticated()
.httpBasic();
}
}