如何使用基于java的配置创建两个http安全配置？

Question

在XML配置中,我可以创建以下内容:

<security:http pattern="/api/**"
               create-session="never"
               use-expressions="true">
  <security:http-basic entry-point-ref="xBasicAuthenticationEntryPoint"/>
  <security:session-management />
  <security:intercept-url pattern="/tests/**" access="isAuthenticated()"/>
  <security:intercept-url pattern="/api/**" access="isAuthenticated()"/>
</security:http>

<security:http auto-config="true" use-expressions="true" realm="ACME">
  <security:intercept-url pattern="/favicon.ico" access="permitAll" />
  <security:intercept-url pattern="/static/**" access="permitAll"/>
  <security:intercept-url pattern="/error/**" access="permitAll" />
  <security:intercept-url pattern="/" access="permitAll"/>
  <security:intercept-url pattern="/login" access="permitAll"/>
  <security:intercept-url pattern="/logout" access="isAuthenticated()"/>
  <security:form-login login-page='/login'
                       authentication-failure-url="/login?error"/>
  <security:logout logout-url="/logout" logout-success-url="/"/>
</security:http>

/api/**如果没有会话,这将允许所有呼叫不尝试验证用户.

如何使用基于Java的配置创建相同的配置？

我的WebSecurityConfigurerAdapter#configure(HttpSecurity)方法如下:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.addFilter(switchUserFilter())
        .authorizeRequests()
        .antMatchers("/").permitAll()
        .antMatchers("/static/**").permitAll()
        .anyRequest().authenticated()
        .and().formLogin()
              .loginPage("/login")
              .permitAll()
              .defaultSuccessUrl("/")
        .and().logout()
              .logoutUrl("/logout")
              .logoutSuccessUrl("/");
}

Answer 1

在"安全性参考手册"中明确指出,您可以@Configuration使用注释添加带注释的内部类,@Order()以指定首先检查的内部类.在您的示例中,它可能看起来像:

@Order(1)
@Configuration
private static class ApiSecurityConfigurationAdapter
        extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/api/**")
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
            .and.httpBasic().authenticationEntryPoint(xBasicAuthenticationEntryPoint)
            .and.authorizeRequests()
                .anyRequest().authenticated();
    }
}

@Configuration
private static class NormalSecurityConfigurationAdapter
        extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilter(switchUserFilter())
            .authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/static/**").permitAll()
            .anyRequest().authenticated()
            .and().formLogin()
                  .loginPage("/login")
                  .permitAll()
                  .defaultSuccessUrl("/")
            .and().logout()
                  .logoutUrl("/logout")
                  .logoutSuccessUrl("/");
    }
}