問題描述
我正在嘗試讓 Spring Security 的基本身份驗證與 JWT 令牌身份驗證并行工作,但沒有成功.我已經為我的 Web 控制臺和 JWT 實現了基本身份驗證,以保護許多 API 端點.這是我的配置:
I am trying to get Spring Security's basic authentication to work side by side with JWT token authentication with no success. I have implemented basic authentication for my web console and JWT to secure a number of API endpoints. Here's my config:
}
我注意到我用 Order(1) 注釋的配置是 Spring Security 選擇的配置,而另一個則被完全忽略.就像上面的配置一樣,如果我嘗試訪問/console/login,我會收到 401 錯誤.任何幫助將不勝感激.
I have noticed that the configuration I annotate with Order(1) is the one that is picked by Spring Security and the other is completely ignored. Like in the above config, I get 401 error if I try to access /console/login. Any help would be much appreciated.
推薦答案
原因是因為ApiWebSecurityConfigurationAdapter
和FormLoginWebSecurityConfig
都沒有使用antMatcher()
代碼>.這意味著兩種安全配置都將處理所有路徑,即使您之后使用 antMatchers()
也是如此.因此,具有最低順序的配置 (@Order(1)
) 將處理所有事情,而另一個則什么也不做.
The reason why is because neither ApiWebSecurityConfigurationAdapter
nor FormLoginWebSecurityConfig
uses the antMatcher()
. This means that both security configurations will handle all paths, even though you're using antMatchers()
afterwards. Due to this, the configuration with the lowest order (@Order(1)
) will handle everything, while the other one will do nothing.
docs 中也提到了這一點:
http.antMatcher
聲明此 HttpSecurity
將僅適用于以 /api/
The
http.antMatcher
states that thisHttpSecurity
will only be applicable to URLs that start with/api/
因此,要解決此問題,您必須為您的一個配置(或兩者)提供一個 antMatcher
.例如,如果表單登錄只應用于 /console/login
和 /console/home
,您可以將配置更改為:
So, to fix this problem, you have to povide an antMatcher
to one of your configurations (or both). For example, if the form login should only be applied to /console/login
and /console/home
, you could change the configuration to:
關于這個主題的另一個好讀物是這個問題:何時使用 Spring Security`santMatcher()?
Another good read about this topic is this question: When to use Spring Security`s antMatcher()?
請注意,您不應像添加 .csrf().disable()
那樣兩次使用 http
構建器,將其添加到另一個構建器就像我在上面的代碼中所做的那樣.
Please note that you shouldn't use the http
builder twice like you did to add the .csrf().disable()
, add it to the other builder like I did in the code above.
另外請注意,您可能需要更改訂單.您應該將順序放在配置最詳細的 antMatcher()
上,在本例中為 FormLoginWebSecurityConfig
.
Also be aware that you'll likely have to change the order. You should put the order on the configuration with the most detailed antMatcher()
, in this case FormLoginWebSecurityConfig
.
這篇關于Spring Security with Spring Boot:將基本身份驗證與 JWT 令牌身份驗證混合使用的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!