我的目标是在Spring Boot应用程序中同时使用这两种安全性。我已经使用JWT完成了API方面的工作,但是我不知道如何为WEB方面实现会话。我已经在另一个项目中做到了,但是我不知道如何使它们一起工作。
这是我的SecurityConfig:
SecurityConfig
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().ignoringAntMatchers("/api/**") .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() .antMatchers("/api/register").permitAll() .antMatchers("/api/login").permitAll() .antMatchers("/api/public").permitAll() .antMatchers("/api/lost").permitAll() .antMatchers("/").permitAll() .antMatchers("/login").permitAll() .antMatchers("/contact").permitAll() .antMatchers("/resources/**").permitAll() .antMatchers("/file/**").permitAll() .anyRequest().authenticated() .and() .apply(new JWTConfigurer(this.tokenProvider)); }
我想要这样的东西:
@Override protected void configure(HttpSecurity http) throws Exception { http // For API side something like : .match("/api/**") // No CSRF .csrf().ignoringAntMatchers("/api/**") // STATELESS session // Use token filter .apply(new JWTConfigurer(this.tokenProvider)); // For WEB side something like : .match "others" // Use CSRF .csrf() // Use session // And the other permit : .authorizeRequests() .antMatchers("/api/register").permitAll() .antMatchers("/api/login").permitAll() .antMatchers("/api/public").permitAll() .antMatchers("/api/lost").permitAll() .antMatchers("/").permitAll() .antMatchers("/login").permitAll() .antMatchers("/contact").permitAll() .antMatchers("/resources/**").permitAll() .antMatchers("/file/**").permitAll() .anyRequest().authenticated(); }
谁能告诉我该怎么做?(并向我解释其工作原理)。对于所要查询的内容,我没有找到任何好的解决方案。
经过6小时的搜索,以下是解决方案:https : //docs.spring.io/spring- security/site/docs/current/reference/htmlsingle/#multiple- httpsecurity
编辑:这是我的方法:
@EnableWebSecurity public class MultiHttpSecurityConfig { @Autowired private UserDetailsService userDetailsService; @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(12); } @Configuration @Order(1) public class ApiSecurityAdapter extends WebSecurityConfigurerAdapter { private TokenProvider tokenProvider; public ApiSecurityAdapter(TokenProvider tokenProvider) { this.tokenProvider = tokenProvider; } @Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/api/**") //<= Security only available for /api/** .authorizeRequests() .antMatchers("/api/register").permitAll() .antMatchers("/api/login").permitAll() .antMatchers("/api/public").permitAll() .antMatchers("/api/lost").permitAll() .anyRequest().authenticated() .and() .apply(new JWTConfigurer(this.tokenProvider)) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); } } @Configuration public class WebSecurityAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http // <= Security available for others (not /api/) .authorizeRequests() .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')") .antMatchers("/").permitAll() .antMatchers("/login").permitAll() .antMatchers("/resources/**").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .usernameParameter("email") .passwordParameter("password") .defaultSuccessUrl("/central", false) .failureForwardUrl("/login/fail") .and() .logout() .invalidateHttpSession(true) .logoutUrl("/logout") .logoutSuccessUrl("/") .and() .csrf(); } } }
希望这会有所帮助!
