我有一个安全配置非常简单的应用程序,似乎无法保护执行器端点。从我在 SO 其他地方读到的内容来看,禁用这些端点的安全性似乎并不简单,所以我很困惑,希望能在理解这里发生的事情方面得到一些帮助。
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig {
@Autowired
private DataSource dataSource;
@Autowired
private WebSecurityProperties properties;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.
jdbcAuthentication()
.dataSource(dataSource);
}
@Configuration
@Order(0)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Autowired
private WebSecurityProperties properties;
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/web/**", "/example/**").hasRole(properties.getApiUserGroup())
.and()
.httpBasic();
}
}
@Configuration
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Autowired
private WebSecurityProperties properties;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/index.html")
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/**").hasRole(properties.getAdminGroup());
}
}
}