我是春季安全新手。尝试将其用于带有rest后端的项目。对于我的后端,某些url需要打开,某些url需要具有httpbasic auth/https,某些url需要令牌身份验证。
我正试图使用web mvc测试来设置这个。试图通过使用控制器方法来测试它:
@RequestMapping(value="/auth/signup", method=RequestMethod.POST)
@ResponseStatus(HttpStatus.OK)
public void test(){
System.err.println("Controller reached!");
}
@RequestMapping(value="/auth/login", method=RequestMethod.POST)
@ResponseStatus(HttpStatus.OK)
public void test2(){
System.err.println("Controller reached!");
}
我的Spring安全配置锁如下:
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
@Configuration
@Order(1)
public static class FreeEndpointsConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/auth/signup").permitAll()
.and().csrf().disable();
}
}
@Configuration
@Order(2)
public static class HttpBasicAuthConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/auth/login").hasAnyRole("USER")
.and().httpBasic()
.and().csrf().disable();
}
}
}
My Test是这样的:
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(classes={RootContext.class, WebSecurityConfig.class})
@WebAppConfiguration
public class AccountSecurityTest {
@Autowired
private WebApplicationContext wac;
private MockMvc securityMockMvc;
@Before
public void SetupContext() {
securityMockMvc = MockMvcBuilders
.webAppContextSetup(wac)
.apply(springSecurity()).build();
}
@Test
public void testSigInFree() throws Exception {
MockHttpServletRequestBuilder post = post("/auth/signup");
securityMockMvc.perform(post).andExpect(status().isOk());
}
@Test
public void testLoginHttpBasic() throws Exception {
MockHttpServletRequestBuilder post = post("/auth/login");
securityMockMvc.perform(post).andExpect(status().isOk());
}
}
testmethod "testLoginHttpBasic"是绿色的。但我预计会失败,因为我试图配置/强制httpbasic身份验证。我错在哪里?
变化
http.authorizeRequests().antMatchers("/auth/signup").permitAll()
来http.antMatcher("/auth/signup").authorizeRequests().anyRequest().permitAll()
和
http.antMatcher("/auth/login").authorizeRequests().anyRequest().hasAnyRole("USER")
来http.authorizeRequests().antMatchers("/auth/login").hasAnyRole("USER")
.
你的第二次测试将会失败。
你为什么需要这个改变?
http.authorizeRequests()...
创建一个匹配每个URL的SecurityFilterChain
。一旦一个SecurityFilterChain
匹配请求,所有后续的SecurityFilterChain
将永远不会被评估。因此,您的FreeEndpointsConfig
消耗了每个请求。
使用http.antMatcher("...")
,您可以将每个SecurityFilterChain
限制为特定的URL(模式)。现在FreeEndpointsConfig
只匹配/auth/signup
和HttpBasicAuthConfig
/auth/login
。
你可以用WebSecurity::configure
设置一些url,比如静态资源(js, html或css)的路径。在WebSecurityConfig
中重写WebSecurity::configure
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity
.ignoring()
.antMatchers("/auth/signup");
}
和FreeEndpointsConfig
不再需要