0

我有一个安全配置非常简单的应用程序,似乎无法保护执行器端点。从我在 SO 其他地方读到的内容来看,禁用这些端点的安全性似乎并不简单,所以我很困惑,希望能在理解这里发生的事情方面得到一些帮助。

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig {
    @Autowired
    private DataSource dataSource;

    @Autowired
    private WebSecurityProperties properties;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.
                jdbcAuthentication()
                .dataSource(dataSource);
    }

    @Configuration
    @Order(0)
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        @Autowired
        private WebSecurityProperties properties;

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                    .csrf().disable()
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                    .and()
                    .authorizeRequests()
                    .antMatchers("/web/**", "/example/**").hasRole(properties.getApiUserGroup())
                    .and()
                    .httpBasic();
        }
    }

    @Configuration
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
        @Autowired
        private WebSecurityProperties properties;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .authorizeRequests()
                    .antMatchers("/index.html")
                    .permitAll()
                    .and()
                    .authorizeRequests()
                    .antMatchers("/**").hasRole(properties.getAdminGroup());
        }
    }
}
4

1 回答 1

0

好的,看起来我的配置有几个问题。

  • 使用 @EnableWebSecurity 注释。显然这会禁用 Spring Boot 默认值。根据dsyer的说法,“如果您使用 @EnableWebSecurity,您将完全关闭 Spring Boot 设置”
  • 未能指定配置​​应用程序的顺序。具体来说,我没有@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)在班级级别声明。

作为让这个工作的一部分,我简化了我的配置并最终得到了这个:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private DataSource dataSource;

    @Autowired
    private WebSecurityProperties properties;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.
                jdbcAuthentication()
                .dataSource(dataSource);
   }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .authorizeRequests()
                .antMatchers("/web/**", "/example/**").hasRole(properties.getApiUserGroup())
                .antMatchers("/index.html").permitAll().and()
            .httpBasic().realmName("API example");
    }
}
于 2016-02-22T18:10:57.490 回答