久久久久久久av_日韩在线中文_看一级毛片视频_日本精品二区_成人深夜福利视频_武道仙尊动漫在线观看

Spring Security with Spring Boot:將基本身份驗證與 JWT

Spring Security with Spring Boot: Mix Basic Authentication with JWT token authentication(Spring Security with Spring Boot:將基本身份驗證與 JWT 令牌身份驗證混合使用)
本文介紹了Spring Security with Spring Boot:將基本身份驗證與 JWT 令牌身份驗證混合使用的處理方法,對大家解決問題具有一定的參考價值,需要的朋友們下面隨著小編來一起學習吧!

問題描述

我正在嘗試讓 Spring Security 的基本身份驗證與 JWT 令牌身份驗證并行工作,但沒有成功.我已經為我的 Web 控制臺和 JWT 實現了基本身份驗證,以保護許多 API 端點.這是我的配置:

I am trying to get Spring Security's basic authentication to work side by side with JWT token authentication with no success. I have implemented basic authentication for my web console and JWT to secure a number of API endpoints. Here's my config:

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MultiHttpSecurityConfig {

@Autowired
private UserDetailsService userDetailsService;    

@Autowired
public void configureAuthentication(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
    authenticationManagerBuilder
            .userDetailsService(this.userDetailsService)
            .passwordEncoder(bCryptPasswordEncoder());
}

@Bean
public PasswordEncoder bCryptPasswordEncoder() {
    return new BCryptPasswordEncoder();
}

/**
 * 
 * API Security configuration
 *
 */
@Configuration
@Order(1) 
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter{

    @Bean
    public JwtAuthenticationTokenFilter authenticationTokenFilterBean() throws Exception {
        return new JwtAuthenticationTokenFilter();
    }

    @Autowired
    private JwtAuthenticationEntryPoint unauthorizedHandler;

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity   
            .csrf().disable()
            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()                
            // don't create session
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .authorizeRequests().antMatchers("/api/**","/refresh/**").authenticated()
            .antMatchers("/auth/**").permitAll().anyRequest().authenticated();               
        // Custom JWT based security filter
        httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
        // disable page caching
        httpSecurity.headers().cacheControl();
    }
}

/**
 * 
 * Form login security configuration
 *
 */
@Configuration
public static class FormLoginWebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private ConsoleAuthenticationEntryPoint consoleAuthenticationEntryPoint;

    @Override
    protected void configure(HttpSecurity http) throws Exception {          
        http.httpBasic().and().exceptionHandling().authenticationEntryPoint(
                consoleAuthenticationEntryPoint).and()
         .authorizeRequests().antMatchers("/console/**").authenticated()
         .antMatchers(HttpMethod.GET,
                    "/*.html",
                    "/favicon.ico",
                    "/**/*.html",
                    "/**/*.css",
                    "/**/*.js").permitAll()
         .anyRequest().authenticated()
         .and()
         .formLogin().defaultSuccessUrl("/console/home")
         .loginPage("/console/login")
         .permitAll()
         .and()
         .logout()
         .permitAll();
        http.csrf().disable();
    }
}

}

我注意到我用 Order(1) 注釋的配置是 Spring Security 選擇的配置,而另一個則被完全忽略.就像上面的配置一樣,如果我嘗試訪問/console/login,我會收到 401 錯誤.任何幫助將不勝感激.

I have noticed that the configuration I annotate with Order(1) is the one that is picked by Spring Security and the other is completely ignored. Like in the above config, I get 401 error if I try to access /console/login. Any help would be much appreciated.

推薦答案

原因是因為ApiWebSecurityConfigurationAdapterFormLoginWebSecurityConfig都沒有使用antMatcher()代碼>.這意味著兩種安全配置都將處理所有路徑,即使您之后使用 antMatchers() 也是如此.因此,具有最低順序的配置 (@Order(1)) 將處理所有事情,而另一個則什么也不做.

The reason why is because neither ApiWebSecurityConfigurationAdapter nor FormLoginWebSecurityConfig uses the antMatcher(). This means that both security configurations will handle all paths, even though you're using antMatchers() afterwards. Due to this, the configuration with the lowest order (@Order(1)) will handle everything, while the other one will do nothing.

docs 中也提到了這一點:

http.antMatcher 聲明此 HttpSecurity 將僅適用于以 /api/

The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/

因此,要解決此問題,您必須為您的一個配置(或兩者)提供一個 antMatcher.例如,如果表單登錄只應用于 /console/login/console/home,您可以將配置更改為:

So, to fix this problem, you have to povide an antMatcher to one of your configurations (or both). For example, if the form login should only be applied to /console/login and /console/home, you could change the configuration to:

@Override
protected void configure(HttpSecurity http) throws Exception {          
    http
        .antMatcher("/console/**") // Add this
        .httpBasic().and()
        .exceptionHandling().authenticationEntryPoint(consoleAuthenticationEntryPoint).and()
        .authorizeRequests().antMatchers("/console/**").authenticated()
        .antMatchers(HttpMethod.GET,
                "/*.html",
                "/favicon.ico",
                "/**/*.html",
                "/**/*.css",
                "/**/*.js").permitAll()
        .anyRequest().authenticated().and()
        .formLogin().defaultSuccessUrl("/console/home")
        .loginPage("/console/login").permitAll().and()
        .logout().permitAll().and() // Make sure to use .and() to add the .csrf()
        .csrf().disable();
}

關于這個主題的另一個好讀物是這個問題:何時使用 Spring Security`santMatcher()?

Another good read about this topic is this question: When to use Spring Security`s antMatcher()?

請注意,您不應像添加 .csrf().disable() 那樣兩次使用 http 構建器,將其添加到另一個構建器就像我在上面的代碼中所做的那樣.

Please note that you shouldn't use the http builder twice like you did to add the .csrf().disable(), add it to the other builder like I did in the code above.

另外請注意,您可能需要更改訂單.您應該將順序放在配置最詳細的 antMatcher() 上,在本例中為 FormLoginWebSecurityConfig.

Also be aware that you'll likely have to change the order. You should put the order on the configuration with the most detailed antMatcher(), in this case FormLoginWebSecurityConfig.

這篇關于Spring Security with Spring Boot:將基本身份驗證與 JWT 令牌身份驗證混合使用的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!

【網站聲明】本站部分內容來源于互聯網,旨在幫助大家更快的解決問題,如果有圖片或者內容侵犯了您的權益,請聯系我們刪除處理,感謝您的支持!

相關文檔推薦

How to wrap text around components in a JTextPane?(如何在 JTextPane 中的組件周圍環繞文本?)
MyBatis, how to get the auto generated key of an insert? [MySql](MyBatis,如何獲取插入的自動生成密鑰?[MySql])
Inserting to Oracle Nested Table in Java(在 Java 中插入 Oracle 嵌套表)
Java: How to insert CLOB into oracle database(Java:如何將 CLOB 插入 oracle 數據庫)
Why does Spring-data-jdbc not save my Car object?(為什么 Spring-data-jdbc 不保存我的 Car 對象?)
Use threading to process file chunk by chunk(使用線程逐塊處理文件)
主站蜘蛛池模板: 中文字幕视频在线观看 | 黄色片免费看 | 成年女人免费v片 | 欧美综合国产精品久久丁香 | 日本一区二区三区四区 | 欧美精品一区二区在线观看 | 国产成人精品一区 | av免费网站在线观看 | 网站黄色av | 这里有精品 | 日韩精品一区二区三区视频播放 | 黑人一级黄色大片 | 亚洲一区二区三区久久久 | 精品欧美乱码久久久久久 | 国产乱码精品1区2区3区 | 成人蜜桃av | 中文字幕亚洲精品 | h肉视频 | 日日干综合| 天天干人人 | 亚洲欧美一区二区三区情侣bbw | 久久噜噜噜精品国产亚洲综合 | 少妇一级淫片aaaaaaaaa | 日韩欧美三区 | 久久成人午夜 | 你懂的免费在线 | 在线免费看黄 | 日本高清视频在线播放 | 伊人网91 | av网站免费看 | 韩国av电影网 | 网址黄 | 一区二区三区高清 | 日韩成人在线观看 | 欧美精品中文 | aaa国产大片 | 成人午夜免费视频 | 羞羞视频网站在线观看 | 国产精品视频一区二区三区四区国 | 亚洲国产精品久久久久婷婷老年 | 午夜精品久久久久久久星辰影院 |