首页 / JAVA / 自定义身份验证使用Java Config在多个HttpSecurity对象中进行过滤

自定义身份验证使用Java Config在多个HttpSecurity对象中进行过滤

内容导读

互联网集市收集整理的这篇技术教程文章主要介绍了自定义身份验证使用Java Config在多个HttpSecurity对象中进行过滤,小编现在分享给大家,供广大互联网技能从业者学习和参考。文章包含4701字,纯文字阅读大概需要7分钟

内容图文

我希望有两个不同的http Web配置,其中包含使用spring boot和spring java config的自定义身份验证过滤器.
我按照可在此处找到的示例应用程序:https://github.com/spring-projects/spring-security-javaconfig/blob/master/samples-web.md#sample-multi-http-web-configuration.
我的理解是,这将最终出现在每个Web配置的单独的弹簧过滤器链中.但是,尽管Web配置URL模式与请求不匹配,但都会调用这两个过滤器.
例如,请求http://localhost:8080/api/dosomething将调用两个过滤器,而不仅仅是CustomApiAuthenticationFilter.当然,有可能在doFilterInternal中检查请求url并忽略请求,如果它不匹配但我认为这应该通过尊重相应Web配置的url模式自动完成.
此外,我的RestController不会被分别调用Postman只接收状态代码200 OK而没有响应主体.

两个问题:
1.这种行为是设计还是配置错误?
2.为什么我的RestController没有被调用?

@EnableWebSecurity
public class SecurityConfiguration {

    @Configuration
    @Order(1)
    public static class ApiConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Bean
        public GenericFilterBean apiAuthenticationFilter() {
            return new CustomApiAuthenticationFilter();
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.antMatcher("/api/**").addFilterAfter(apiAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests().antMatchers("/api/**").authenticated();
        }
    }

    @Configuration
    @Order(2)
    public static class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Bean
        public GenericFilterBean webAuthenticationFilter() {
            return new CustomWebAuthenticationFilter();
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.antMatcher("/").addFilterAfter(webAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
                .authorizeRequests().antMatchers("/").authenticated();
        }
    }
}

public class CustomApiAuthenticationFilter extends OncePerRequestFilter {
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        Authentication auth = new UsernamePasswordAuthenticationToken("sub", "password", ImmutableList.of(new SimpleGrantedAuthority("API")));
        SecurityContextHolder.getContext().setAuthentication(auth);
    }
}

public class CustomWebAuthenticationFilter extends OncePerRequestFilter {
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        Authentication auth = new UsernamePasswordAuthenticationToken("sub", "password", ImmutableList.of(new SimpleGrantedAuthority("USER")));
        SecurityContextHolder.getContext().setAuthentication(auth);
    }
}

@RestController
public class ApiController {
    @RequestMapping(value = "/api/v1/dosomething", method = RequestMethod.GET)
    public String getSomething() {
        return "something";
    }
}

解决方法:

感谢M. Deinum,他给了我正确的答案.以下现在按预期工作,但我仍然不确定这是否合法.

@EnableWebSecurity
public class SecurityConfiguration {

    @Configuration
    @Order(1)
    public static class ApiConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.antMatcher("/api/**")
                .addFilterAfter(new CustomApiAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests().anyRequest().hasRole("API");
        }
    }

    @Configuration
    @Order(2)
    public static class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.antMatcher("/")
                .addFilterAfter(new CustomWebAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)
                .authorizeRequests().anyRequest().hasRole("USER");
        }
    }
}

public class CustomApiAuthenticationFilter extends OncePerRequestFilter {
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        Authentication auth = new UsernamePasswordAuthenticationToken("sub", "password", ImmutableList.of(new SimpleGrantedAuthority("ROLE_API")));
        SecurityContextHolder.getContext().setAuthentication(auth);
        filterChain.doFilter(request, response);
    }
}

public class CustomWebAuthenticationFilter extends OncePerRequestFilter {
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        Authentication auth = new UsernamePasswordAuthenticationToken("sub", "password", ImmutableList.of(new SimpleGrantedAuthority("ROLE_USER")));
        SecurityContextHolder.getContext().setAuthentication(auth);
        filterChain.doFilter(request, response);
    }
}

内容总结

以上是互联网集市为您收集整理的自定义身份验证使用Java Config在多个HttpSecurity对象中进行过滤全部内容,希望文章能够帮你解决自定义身份验证使用Java Config在多个HttpSecurity对象中进行过滤所遇到的程序开发问题。 如果觉得互联网集市技术教程内容还不错,欢迎将互联网集市网站推荐给程序员好友。

内容备注

版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 gblab@vip.qq.com 举报,一经查实,本站将立刻删除。

内容手机端

扫描二维码推送至手机访问。

本文链接:https://qyyshop.com/info/772763.html

来源:【匿名】