1. StackOverflow 文档
  2. spring-security 教程
  3. Spring 安全配置
  4. 组态

组态

Created: November-22, 2018

这是相应的 Java 配置:

将此批注添加到 @Configuration 类,以便通过扩展 WebSecurityConfigurerAdapter 基类并覆盖单个方法,在任何 WebSecurityConfigurer 或更高版本中定义 Spring Security 配置:

@Configuration
@EnableWebSecurity
@Profile("container")
public class XSecurityConfig extends WebSecurityConfigurerAdapter {

inMemoryAuthentication
它定义了一个内存认证方案,其用户具有用户名 user,密码 password 和角色“ROLE_USER”。

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
     auth
         .inMemoryAuthentication()
             .withUser("user")
             .password("password")
             .roles("ROLE_USER");
  }

  @Override
  public void configure(WebSecurity web) throws Exception {
     web
         .ignoring()
             .antMatchers("/scripts/**","/styles/**","/images/**","/error/**");
  }

HttpSecurity
它允许为特定的 HTTP 请求配置基于 Web 的安全性。默认情况下,它将应用于所有请求,但可以使用 requestMatcher(RequestMatcher) 或其他类似方法进行限制。

  @Override
  public void configure(HttpSecurity http) throws Exception {
     http
         .authorizeRequests()
             .antMatchers("/rest/**").authenticated()
             .antMatchers("/**").permitAll()
             .anyRequest().authenticated()
             .and()
         .formLogin()
             .successHandler(new AuthenticationSuccessHandler() {
                 @Override
                 public void onAuthenticationSuccess(
                     HttpServletRequest request,
                     HttpServletResponse response,
                     Authentication a) throws IOException, ServletException {
                         // To change body of generated methods,
                         response.setStatus(HttpServletResponse.SC_OK);
                 }
             })
             .failureHandler(new AuthenticationFailureHandler() {
                 @Override
                 public void onAuthenticationFailure(
                     HttpServletRequest request,
                     HttpServletResponse response,
                     AuthenticationException ae) throws IOException, ServletException {
                         response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                 }
             })
             .loginProcessingUrl("/access/login")
             .and()
         .logout()
             .logoutUrl("/access/logout")                
             .logoutSuccessHandler(new LogoutSuccessHandler() {
                 @Override
                 public void onLogoutSuccess(
                     HttpServletRequest request, 
                     HttpServletResponse response, 
                     Authentication a) throws IOException, ServletException {
                         response.setStatus(HttpServletResponse.SC_NO_CONTENT);
                 }
             })
             .invalidateHttpSession(true)
             .and()
         .exceptionHandling()
         .authenticationEntryPoint(new Http403ForbiddenEntryPoint())
             .and()
         .csrf() //Disabled CSRF protection
             .disable();
  }
}