我正在尝试使用具有弹簧安全性的spring- boot进行示例。我的想法是创建一个Web应用程序并提供一个API,我希望两者都具有安全性;因此,我需要创建一个多http网络安全配置,但是该配置无法正常工作。
我点击了此链接http://docs.spring.io/spring- security/site/docs/3.2.x/reference/htmlsingle/#multiple- httpsecurity,但没有成功。而且,我收到此错误
创建名称为’webSecurityConfiguration’的bean时出错:自动连接依赖项的注入失败; 嵌套异常是java.lang.IllegalStateException:无法将org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer应用于已构建的对象
我正在使用的配置如下:
@Configuration @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) @EnableGlobalAuthentication @EnableGlobalMethodSecurity(securedEnabled = true) public class WebSecurityConfiguration { @Autowired protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("12345").roles("USER").and() .withUser("admin").password("12345").roles("USER", "ADMIN"); } @Configuration @Order(1) public static class ApiConfigurationAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/api/**") .authorizeRequests() .anyRequest().hasRole("ADMIN") .and() .httpBasic(); } } @Configuration @Order(2) public static class WebConfigurationAdapter extends WebSecurityConfigurerAdapter { @Override public void configure(WebSecurity web) throws Exception { web .ignoring() .antMatchers("/resources/**"); } @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/home").permitAll() .anyRequest() .authenticated() .and() .formLogin() .loginPage("/login").permitAll() .and() .logout().permitAll(); } } }
提前致谢
经过大量阅读后,我发现了一些对我有用的东西:
@Configuration @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) @EnableGlobalMethodSecurity(securedEnabled = true) public class WebSecurityConfiguration extends GlobalAuthenticationConfigurerAdapter { @Resource(name = "customUserDetailsService") protected CustomUserDetailsService customUserDetailsService; @Resource private DataSource dataSource; @Autowired protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(customUserDetailsService); } @Configuration @Order(1) public static class ApiConfigurationAdapter extends WebSecurityConfigurerAdapter { @Resource(name = "restUnauthorizedEntryPoint") private RestUnauthorizedEntryPoint restUnauthorizedEntryPoint; @Resource(name = "restAccessDeniedHandler") private RestAccessDeniedHandler restAccessDeniedHandler; @Override protected void configure(HttpSecurity http) throws Exception { SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityXAuthConfigurerAdapter = new XAuthTokenConfigurer( userDetailsServiceBean()); // @formatter:off http .antMatcher("/api/**").csrf().disable() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .exceptionHandling() .authenticationEntryPoint(restUnauthorizedEntryPoint) .accessDeniedHandler(restAccessDeniedHandler) .and() .authorizeRequests() .antMatchers(HttpMethod.POST, "/api/authenticate").permitAll() .anyRequest().hasRole("ADMIN") .and() .apply(securityXAuthConfigurerAdapter); // @formatter:on } } @Configuration @Order(2) public static class WebConfigurationAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .antMatchers("/", "/home").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login").permitAll() .and() .logout().permitAll() ; // @formatter:on } } }
