1. 首頁
  2. 問答
  3. 如何在Spring MVC應用程序中添加兩個安全策略?

如何在Spring MVC應用程序中添加兩個安全策略?

2017-02-28 78 views
0

我正在寫Spring應用程序來服務移動以及Web門戶請求。 我已經添加了控制器來處理Web門戶請求和RestController來處理移動請求。這是我在單個項目中完成的所有事情。如何在Spring MVC應用程序中添加兩個安全策略?

我已將auth.xml配置爲驗證和全部。

<security:http pattern="/api/**" entry-point-ref="restAuthenticationEntryPoint" use-expressions="true" auto-config="false" create-session="stateless" >      
      <security:intercept-url pattern="/api/auth" access="permitAll" /> 
      <security:intercept-url pattern="/api/token" access="permitAll" /> 
      <security:custom-filter ref="authenticationTokenProcessingFilter" position="FORM_LOGIN_FILTER" /> 
      <security:intercept-url pattern="/api/**" access="isAuthenticated()" /> 


      <security:logout /> 
     </security:http> 

     <bean class="com.auth.TokenAuthenticationFilter" 
      id="authenticationTokenProcessingFilter"> 
      <constructor-arg type="java.lang.String"><value>/api/**</value></constructor-arg> 
     </bean> 


<!-- Code for REST API Authentication --> 

    <!-- create-session="stateless" --> 

    <security:http auto-config="false" use-expressions="true" entry-point-ref="ajaxAwareAuthenticationEntryPoint" disable-url-rewriting="true">  
     <security:intercept-url pattern="/login" access="permitAll()" /> 
     <security:intercept-url pattern="/**" access="isAuthenticated()" /> 


     <security:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationFilter" /> 
     <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" /> 

     <security:logout logout-url="/logout" logout-success-url="/login.do" invalidate-session="true" /> 
     <security:remember-me services-ref="rememberMeService" /> 
     <security:session-management session-authentication-strategy-ref="sas" /> 
     <security:csrf disabled="true"/> 

    </security:http>

但我想整合Spring OAuth 2.0。 任何人都可以有同樣的想法嗎?

來源

2017-02-28 Vishvesh Phadnis

回答

-1

試用春季安全。它具有內置的功能,您可以始終爲您的目的覆蓋現有的行爲。

來源

2017-02-28 10:24:32 FaigB

+0

所提供的配置看起來像春天的安全性我.. – Tobb

+0

爲了您的信息不作者標記有春天的安全,這意味着他不熟悉的Spring Security – FaigB

+0

這並不一定意味着問題,這可能意味着他不知道如何正確標記問題。問題中提供的配置仍然是Spring安全配置。 – Tobb

1

您可以爲2個不同的路徑配置2個不同的安全過濾器。這樣,您可以對應用程序的不同路徑進行不同的保護。通常,您希望「/ public/」可供任何人訪問,而「/ api/」通過身份驗證進行保護。

我強烈建議通過擴展WebSecurityConfigurerAdapter來配置Java中的Spring Security。

下面是一個示例Java配置,它只保護一些端點,同時讓其他人可以公開訪問。

@Configuration 
 
@EnableWebSecurity 
 
@EnableGlobalMethodSecurity(prePostEnabled=true) 
 
class SecurityConfig extends WebSecurityConfigurerAdapter { 
 
    private static final RequestMatcher PUBLIC_URLS = new OrRequestMatcher(
 
    new AntPathRequestMatcher("/**", OPTIONS.toString()), 
 
    new AntPathRequestMatcher("/public/**"), 
 
    new AntPathRequestMatcher("/health"), 
 
    // Spring Social 
 
    new AntPathRequestMatcher("/signin/**"), 
 
    new AntPathRequestMatcher("/auth/**"), 
 
    // Swagger Documentation 
 
    new AntPathRequestMatcher("/swagger-ui.html"), 
 
    new AntPathRequestMatcher("/v2/api-docs"), 
 
    new AntPathRequestMatcher("/swagger-resources/**"), 
 
    new AntPathRequestMatcher("/webjars/**") 
 
); 
 
    private static final RequestMatcher PROTECTED_URLS = new NegatedRequestMatcher(PUBLIC_URLS); 
 

 
    @Autowired 
 
    private RESTAuthenticationProvider authenticationProvider; 
 
    @Autowired 
 
    private TokenService credentials; 
 
    @Autowired 
 
    private UserSecurityService users; 
 

 
    @Override 
 
    protected void configure(final AuthenticationManagerBuilder auth) { 
 
    auth.authenticationProvider(authenticationProvider); 
 
    } 
 

 
    @Bean 
 
    @Override 
 
    public AuthenticationManager authenticationManagerBean() throws Exception { 
 
    return super.authenticationManagerBean(); 
 
    } 
 

 
    @Override 
 
    public void configure(final WebSecurity web) throws Exception { 
 
    web.ignoring().requestMatchers(PUBLIC_URLS); 
 
    } 
 

 
    @Override 
 
    protected void configure(final HttpSecurity http) throws Exception { 
 
    http 
 
     .exceptionHandling() 
 
     // this entry point handles when you request a protected page and you are not yet 
 
     // authenticated 
 
     .defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS) 
 
     .and() 
 
     .authenticationProvider(authenticationProvider) 
 
     .addFilterBefore(restAuthenticationFilter(), AnonymousAuthenticationFilter.class) 
 
     .authorizeRequests() 
 
     .anyRequest() 
 
     .authenticated() 
 
     .and() 
 
     .csrf().disable() 
 
     .formLogin().disable() 
 
     .httpBasic().disable() 
 
     .logout().disable() 
 
     .sessionManagement().disable(); 
 
    } 
 

 
    @Bean 
 
    RESTAuthenticationFilter restAuthenticationFilter() throws Exception { 
 
    final RESTAuthenticationFilter filter = 
 
     new RESTAuthenticationFilter(PROTECTED_URLS, credentials); 
 
    filter.setAuthenticationManager(authenticationManagerBean()); 
 
    filter.setAuthenticationSuccessHandler(getSuccessHandler()); 
 
    return filter; 
 
    } 
 

 
    // Upon successful authentication, Spring will attempt to try and move you to another URL 
 
    // We have to prevent this because the request for the resource and the authentication all get done in the same request! 
 
    @Bean 
 
    SimpleUrlAuthenticationSuccessHandler getSuccessHandler() { 
 
    final SimpleUrlAuthenticationSuccessHandler successHandler = new SimpleUrlAuthenticationSuccessHandler(); 
 
    successHandler.setRedirectStrategy(new NoRedirectStrategy()); 
 
    return successHandler; 
 
    } 
 

 
    @Bean 
 
    AuthenticationEntryPoint forbiddenEntryPoint() { 
 
    return new Http401AuthenticationEntryPoint("Bearer"); 
 
    } 
 

 
}

來源

2017-02-28 10:42:12

+0

謝謝@ Octoperf.com –

相關問題

 相關問題