Spring Boot + 安全 + 多 HTTP Web 配置

Posted 2023-02-27

【中文标题】Spring Boot + 安全 + 多 HTTP Web 配置

【英文标题】：Spring Boot + Security + Multi HTTP Web Configuration

【发布时间】：2015-02-22 16:40:06

【问题描述】：

我正在尝试使用带有 spring 安全性的 spring-boot 做一个示例。我的想法是创建一个 Web 应用程序并提供一个 API，我希望两者都有安全性；所以我需要创建一个多 http 网络安全配置，但是它不起作用。

我点击了这个链接http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity，但没有成功。而且，我收到了这个错误

创建名为“webSecurityConfiguration”的 bean 时出错：注入自动装配的依赖项失败；嵌套异常是 java.lang.IllegalStateException: Cannot apply org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer to already built object

我使用的配置如下：

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableGlobalAuthentication
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfiguration  

@Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception  
    auth
        .inMemoryAuthentication()
            .withUser("user").password("12345").roles("USER").and()
            .withUser("admin").password("12345").roles("USER", "ADMIN");


@Configuration
@Order(1)
public static class ApiConfigurationAdapter extends
        WebSecurityConfigurerAdapter 

    @Override
    protected void configure(HttpSecurity http) throws Exception 
        http
            .antMatcher("/api/**")
            .authorizeRequests()
                .anyRequest().hasRole("ADMIN")
                .and()
            .httpBasic();
    


@Configuration
@Order(2)
public static class WebConfigurationAdapter extends
        WebSecurityConfigurerAdapter 

    @Override
    public void configure(WebSecurity web) throws Exception 
        web
            .ignoring()
                .antMatchers("/resources/**");
    

    @Override
    protected void configure(HttpSecurity http) throws Exception 
        http
            .authorizeRequests()                    
                .antMatchers("/", "/home").permitAll()
            .anyRequest()
                .authenticated()
            .and()
                .formLogin()
                    .loginPage("/login").permitAll()
            .and()
                .logout().permitAll();
    
    

提前致谢

【参考方案1】：

经过大量阅读，我发现了一些对我有用的东西：

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfiguration extends GlobalAuthenticationConfigurerAdapter 

    @Resource(name = "customUserDetailsService")
    protected CustomUserDetailsService customUserDetailsService;

    @Resource
    private DataSource dataSource;

    @Autowired
    protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception 
        auth.userDetailsService(customUserDetailsService);
    

    @Configuration
    @Order(1)
    public static class ApiConfigurationAdapter extends WebSecurityConfigurerAdapter 
        @Resource(name = "restUnauthorizedEntryPoint")
        private RestUnauthorizedEntryPoint restUnauthorizedEntryPoint;
        @Resource(name = "restAccessDeniedHandler")
        private RestAccessDeniedHandler restAccessDeniedHandler;

        @Override
        protected void configure(HttpSecurity http) throws Exception 
            SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityXAuthConfigurerAdapter = new XAuthTokenConfigurer(
                    userDetailsServiceBean());

            // @formatter:off
            http
                .antMatcher("/api/**").csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .exceptionHandling()
                    .authenticationEntryPoint(restUnauthorizedEntryPoint)
                    .accessDeniedHandler(restAccessDeniedHandler)
                .and()
                    .authorizeRequests()
                        .antMatchers(HttpMethod.POST, "/api/authenticate").permitAll()
                        .anyRequest().hasRole("ADMIN")
                        .and()
                        .apply(securityXAuthConfigurerAdapter);
            // @formatter:on
        
    

    @Configuration
    @Order(2)
    public static class WebConfigurationAdapter extends WebSecurityConfigurerAdapter 

        @Override
        protected void configure(HttpSecurity http) throws Exception 
            // @formatter:off
            http
                .authorizeRequests()
                    .antMatchers("/", "/home").permitAll()
                    .anyRequest().authenticated()
                    .and()
                    .formLogin()
                        .loginPage("/login").permitAll()
                    .and()
                    .logout().permitAll()
            ;
            // @formatter:on
        
    

【参考方案2】：

我发现我可以通过注释我的类来解决这个问题 @EnableWebSecurity 阅读此提示后：https://github.com/spring-projects/spring-data-examples/issues/189#issuecomment-229552207

【参考方案3】：

我也面临同样的问题。但是当我从 WebSecurityConfigurerAdapter 扩展 WebSecurityConfiguration 主类时，我解决了这个问题。

请参考以下 *** 帖子，您可以在其中找到完整配置。

Spring Security HTTP Basic for RESTFul and FormLogin for web - Annotations