我正在尝试在springboot中实现Basic Auth + oAuth2,这意味着某些url在登录系统后应像传统方式一样工作,而某些应在AOuth2上工作。
就像我想允许访问SuperAdmin管理面板一样,URL从
/ superAdmin / ****
我只想在一般登录系统后访问所有这些URL。
和REST服务应该在带有URL开始表格的AOuth2上工作
/ api / vi / ****
这些网址用于授予申请人访问权限。
两者都可以正常工作,但两者都不能正常工作。
这是我的配置。
import in.kpis.tracking.configuration.CustomAuthenticationSuccessHandler; import in.kpis.tracking.service.AdminUserService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer; @Configuration public class OAuth2ServerConfiguration { protected static final String RESOURCE_ID = "restservice"; @Configuration @EnableResourceServer protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter { @Override public void configure(ResourceServerSecurityConfigurer resources) { // @formatter:off resources.resourceId(RESOURCE_ID); // @formatter:on } @Override public void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/api/v1/*").hasRole("ADMIN") .antMatchers("/greeting").authenticated(); } } @Configuration public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { @Autowired private AdminUserService adminUserService; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(adminUserService); } @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } } @Configuration @Order(1) public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { String[] permitAll = new String[]{"/error"}; String[] permitToSuperAdmin = new String[]{ "/superAdmin/*", }; http.authorizeRequests() .antMatchers(permitToSuperAdmin).access("hasRole('SUPER_ADMIN')") .antMatchers("/login").permitAll() .and().formLogin().loginPage("/userLogin.html") .usernameParameter("username") .passwordParameter("password") .loginProcessingUrl("/login") .successHandler(new CustomAuthenticationSuccessHandler()) .and() .logout().logoutSuccessUrl("/userLogin.html?logout") .deleteCookies("JSESSIONID") .invalidateHttpSession(true); http.csrf().disable(); } } }
伟大的问题为了将oAuth与spring security结合使用,我认为没有任何办法可以使用它。您需要创建两个不同的项目,一个用于常规秒。一种是用于oAuth。
