Spring Security 配置多WebSecurityConfigurerAdapter

Spring Security多入口

官方為了友善示範使用的是一個主類,兩個内部類來實作的多入口,下面的例子将其拆分為兩個配置類,兩個使用者友善了解.

配置

@Configuration
public class FormSecurityConfig extends WebSecurityConfigurerAdapter {
    @Bean
    public static PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().disable()
                .csrf().disable()
                .authorizeRequests().antMatchers("/form/**")
                .hasRole("USER")
                .and()
                .formLogin().successForwardUrl("/form/index");
    }
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("user")
                .password(passwordEncoder().encode("user"))
                .roles("USER");
    }
}      

說明:

• 上面的配置為系統指定了user為預設使用者,擁有USER權限,
• 指定以form起始的路徑需要校驗USER權限
• 增加formLogin,指定/form/index為登陸成功指向的頁面

@Order(1)
@Configuration
public class BasicSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private PasswordEncoder passwordEncoder;
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .antMatcher("/basic/**")
                .authorizeRequests().anyRequest()
                .hasRole("BASIC")
                .and()
                .httpBasic();
    }
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("basic")
                .password(passwordEncoder.encode("basic"))
                .roles("BASIC");
    }
}      

• 使用@Order(1)指定了加載順序
• 上面的配置為系統指定了basic為預設使用者,擁有BASIC權限,
• 指定以basic起始的路徑需要校驗BASIC權限
• 增加httpBasic驗證

注意事項

1. HttpSecurity配置以authorizeRequests為起始表示針對所有請求路徑
2. HttpSecurity配置以antMatcher("/basic/**")為新增一個入口
3. FormSecurityConfig 未寫@Order繼承WebSecurityConfigurerAdapter中注解序号為100
4. 由于formLogin會增加預設登陸頁過濾器/login是以不能使用其它路徑作為起始,否則會導緻預設登入頁不生效
5. 如果authorizeRequests加載順序靠前會導緻後續配置的antMatcher對應的路徑失效.

相關代碼

https://gitee.com/MeiJM/spring-cram/tree/master/customSecurity

參考資料

https://docs.spring.io/spring-security/site/docs/5.4.1/reference/html5/#multiple-httpsecurity https://www.baeldung.com/spring-security-multiple-entry-points https://github.com/spring-projects/spring-security/issues/5593 https://github.com/mageddo/java-examples/blob/6a7dd2b/spring-security/basic-and-form-auth-together/src/main/java/com/mageddo/springsecurity/SecurityConfig.java