Spring Security：多个HTTP配置无法正常工作

@Configuration@Order(1)public static class ProviderSecurity extends WebSecurityConfigurerAdapter{
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .antMatchers("/admin/login").permitAll()
                .antMatchers("/admin/**").access("hasRole('BASE_USER')")
                .and()
            .formLogin()
                .loginPage("/admin/login").permitAll()
                .defaultSuccessUrl("/admin/home")
                .failureUrl("/admin/login?error=true").permitAll()
                .usernameParameter("username")
                .passwordParameter("password")
                .and()
            .csrf()                    
                .and()
            .exceptionHandling().accessDeniedPage("/Access_Denied");            
    }}@Configuration@Order(2)public static class ConsumerSecurity extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http            .authorizeRequests()
                .antMatchers("/consumer/login").permitAll()
                .antMatchers("/consumer/**").access("hasRole('BASE_USER')")
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/consumer/login").permitAll()
                .defaultSuccessUrl("/consumer/home")
                .failureUrl("/consumer/login?error=true").permitAll()
                .usernameParameter("username")
                .passwordParameter("password")
                .and().csrf()                
                .and()
            .exceptionHandling().accessDeniedPage("/Access_Denied");
    }}

2回答

繁星coding

看看Spring Security Reference：@EnableWebSecuritypublic class MultiHttpSecurityConfig {   @Autowired   public void configureGlobal(AuthenticationManagerBuilder auth) { 1       auth          .inMemoryAuthentication()               .withUser("user").password("password").roles("USER").and()               .withUser("admin").password("password").roles("USER", "ADMIN");   }   @Configuration   @Order(1)                                                        2   public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {       protected void configure(HttpSecurity http) throws Exception {           http              .antMatcher("/api/**")                               3               .authorizeRequests()                   .anyRequest().hasRole("ADMIN")                   .and()               .httpBasic();       }   }       @Configuration                                                   4   public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {       @Override       protected void configure(HttpSecurity http) throws Exception {           http              .authorizeRequests()                   .anyRequest().authenticated()                   .and()               .formLogin();       }   }}1正常配置身份验证2创建WebSecurityConfigurerAdapter包含的实例@Order以指定WebSecurityConfigurerAdapter应首先考虑的实例。3 http.antMatcher表明HttpSecurity这只适用于以。开头的网址/api/4创建另一个实例WebSecurityConfigurerAdapter。如果URL未/api/以此配置启动，则将使用此配置。之后考虑此配置，ApiWebSecurityConfigurationAdapter因为它具有之后的@Order值1（无@Order默认为最后）。您的第二个配置未使用，因为您的第一个配置匹配/**（未antMatcher配置）。并且您的第一个配置仅限制/admin/**，默认情况下允许所有其他URL。

0

0

0

倚天杖

你的第一个WebSecurityConfigurerAdapter的http            .authorizeRequests()匹配所有网址，将其限制为仅/admin使用antMatcher以下网址开头的网址：@Configuration@Order(1)public static class ProviderSecurity extends WebSecurityConfigurerAdapter{     @Override     protected void configure(HttpSecurity http) throws Exception {         http            .antMatcher("/admin/**")                 .authorizeRequests()                 .antMatchers("/admin/login").permitAll()                 .antMatchers("/admin/**").access("hasRole('BASE_USER')")                 .and()                 ...

0

0

0