Jul*_* G. 6 session spring spring-security jwt spring-boot
我的目标是在Spring Boot应用程序中使用这两种安全性.我已经使用JWT完成了API端,但我不知道如何为WEB端实现会话.我已经在另一个项目中完成了这项工作,但我不知道如何让它们协同工作.
这是我的SecurityConfig:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().ignoringAntMatchers("/api/**")
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/register").permitAll()
.antMatchers("/api/login").permitAll()
.antMatchers("/api/public").permitAll()
.antMatchers("/api/lost").permitAll()
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/contact").permitAll()
.antMatchers("/resources/**").permitAll()
.antMatchers("/file/**").permitAll()
.anyRequest().authenticated()
.and()
.apply(new JWTConfigurer(this.tokenProvider));
}
我想要这样的东西:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// For API side something like : .match("/api/**")
// No CSRF
.csrf().ignoringAntMatchers("/api/**")
// STATELESS session
// Use token filter
.apply(new JWTConfigurer(this.tokenProvider));
// For WEB side something like : .match "others"
// Use CSRF
.csrf()
// Use session
// And the other permit :
.authorizeRequests()
.antMatchers("/api/register").permitAll()
.antMatchers("/api/login").permitAll()
.antMatchers("/api/public").permitAll()
.antMatchers("/api/lost").permitAll()
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/contact").permitAll()
.antMatchers("/resources/**").permitAll()
.antMatchers("/file/**").permitAll()
.anyRequest().authenticated();
}
谁能告诉我怎么做?(并解释我是如何工作的).我没有找到任何好的解决方案.
Jul*_* G. 13
经过6个小时的搜索,这里有解决方案:https: //docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#multiple-httpsecurity
编辑:我是这样做的:
@EnableWebSecurity
public class MultiHttpSecurityConfig {
@Autowired
private UserDetailsService userDetailsService;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(12);
}
@Configuration
@Order(1)
public class ApiSecurityAdapter extends WebSecurityConfigurerAdapter {
private TokenProvider tokenProvider;
public ApiSecurityAdapter(TokenProvider tokenProvider) {
this.tokenProvider = tokenProvider;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**") //<= Security only available for /api/**
.authorizeRequests()
.antMatchers("/api/register").permitAll()
.antMatchers("/api/login").permitAll()
.antMatchers("/api/public").permitAll()
.antMatchers("/api/lost").permitAll()
.anyRequest().authenticated()
.and()
.apply(new JWTConfigurer(this.tokenProvider))
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
@Configuration
public class WebSecurityAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http // <= Security available for others (not /api/)
.authorizeRequests()
.antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/resources/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.usernameParameter("email")
.passwordParameter("password")
.defaultSuccessUrl("/central", false)
.failureForwardUrl("/login/fail")
.and()
.logout()
.invalidateHttpSession(true)
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.and()
.csrf();
}
}
}
希望这可以帮助!
| 归档时间: |
|
| 查看次数: |
3622 次 |
| 最近记录: |