1. StackOverflow 文件
  2. spring-security 教程
  3. Spring 安全配置
  4. 組態

組態

Created: November-22, 2018

這是相應的 Java 配置:

將此批註新增到 @Configuration 類,以便通過擴充套件 WebSecurityConfigurerAdapter 基類並覆蓋單個方法,在任何 WebSecurityConfigurer 或更高版本中定義 Spring Security 配置:

@Configuration
@EnableWebSecurity
@Profile("container")
public class XSecurityConfig extends WebSecurityConfigurerAdapter {

inMemoryAuthentication
它定義了一個記憶體認證方案,其使用者具有使用者名稱 user,密碼 password 和角色“ROLE_USER”。

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
     auth
         .inMemoryAuthentication()
             .withUser("user")
             .password("password")
             .roles("ROLE_USER");
  }

  @Override
  public void configure(WebSecurity web) throws Exception {
     web
         .ignoring()
             .antMatchers("/scripts/**","/styles/**","/images/**","/error/**");
  }

HttpSecurity
它允許為特定的 HTTP 請求配置基於 Web 的安全性。預設情況下,它將應用於所有請求,但可以使用 requestMatcher(RequestMatcher) 或其他類似方法進行限制。

  @Override
  public void configure(HttpSecurity http) throws Exception {
     http
         .authorizeRequests()
             .antMatchers("/rest/**").authenticated()
             .antMatchers("/**").permitAll()
             .anyRequest().authenticated()
             .and()
         .formLogin()
             .successHandler(new AuthenticationSuccessHandler() {
                 @Override
                 public void onAuthenticationSuccess(
                     HttpServletRequest request,
                     HttpServletResponse response,
                     Authentication a) throws IOException, ServletException {
                         // To change body of generated methods,
                         response.setStatus(HttpServletResponse.SC_OK);
                 }
             })
             .failureHandler(new AuthenticationFailureHandler() {
                 @Override
                 public void onAuthenticationFailure(
                     HttpServletRequest request,
                     HttpServletResponse response,
                     AuthenticationException ae) throws IOException, ServletException {
                         response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                 }
             })
             .loginProcessingUrl("/access/login")
             .and()
         .logout()
             .logoutUrl("/access/logout")                
             .logoutSuccessHandler(new LogoutSuccessHandler() {
                 @Override
                 public void onLogoutSuccess(
                     HttpServletRequest request, 
                     HttpServletResponse response, 
                     Authentication a) throws IOException, ServletException {
                         response.setStatus(HttpServletResponse.SC_NO_CONTENT);
                 }
             })
             .invalidateHttpSession(true)
             .and()
         .exceptionHandling()
         .authenticationEntryPoint(new Http403ForbiddenEntryPoint())
             .and()
         .csrf() //Disabled CSRF protection
             .disable();
  }
}