我想将 spring 安全配置从 xml 转换为 java config。还没有完成,最后一个问题是 AuthenticationEntryPoint。它在 HttpSecurity 中的设置将被忽略。
我使用 Spring 安全 3.2.0.M2
截断 SecurityConfig.class
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterAfter(httpPayloadFilter(), ChannelProcessingFilter.class)
.addFilterAfter(httpRestLoginFilter(), SecurityContextPersistenceFilter.class)
.authorizeUrls()
.antMatchers("/**").hasRole("USER")
.antMatchers("/secure/clientident/**").hasRole("REQUESTVALID")
.and()
.httpBasic().authenticationEntryPoint(delegatingAuthenticationEntryPoint());
}
@Bean
public DelegatingAuthenticationEntryPoint delegatingAuthenticationEntryPoint() {
ELRequestMatcher matcher = new ELRequestMatcher("hasHeader('user-agent', 'Mozilla') or " +
"hasHeader('user-agent', 'Chromium') or " +
"hasHeader('user-agent', 'Chrome') or " +
"hasHeader('user-agent', 'Safari')");
LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> map =
new LinkedHashMap<RequestMatcher, AuthenticationEntryPoint>();
map.put(matcher, new BasicAuthenticationEntryPoint());
DelegatingAuthenticationEntryPoint delegatingAuthenticationEntryPoint = new DelegatingAuthenticationEntryPoint(map);
delegatingAuthenticationEntryPoint.setDefaultEntryPoint(new Http403ForbiddenEntryPoint());
return delegatingAuthenticationEntryPoint;
}
我总是在客户端得到“HTTP 403”(猜测 Http403ForbiddenEntryPoint)。我也尝试了一个更简单的配置,而不像 delegatingAuthenticationEntryPoint 这样。
.httpBasic().authenticationEntryPoint(new BasicAuthenticationEntryPoint())
这也行不通。有谁知道我做错了什么?
补充:
应该更好地锁定。找到另一个关于这个问题的帖子。
需要仅显示基本身份验证的 spring security java config 示例 还放置
了 Ticket SEC-2198 。
当前的解决方法。
.exceptionHandling()
.authenticationEntryPoint(delegatingAuthenticationEntryPoint())
.and()
.httpBasic();