我们以官方API在端口8080(在我们的虚拟网络之外映射到端口443上的普通httpS)的方式配置我们的新微服务(使用Spring-Boot),而一些管理功能在辅助http上端口7979.这些只在虚拟网络中使用,用于监控,负载均衡等.
所有API访问都需要使用OAuth保护,而管理功能应该可以在网络内自由访问.所以我们以这种方式配置Spring安全性(http是一个httpSecurity对象):
http .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER) .and() .authorizeRequests() .antMatchers("/info").anonymous() .antMatchers("/health").anonymous() .antMatchers(httpMethod.GET,"/warehouses/**").access(oauthScopeRead) .antMatchers(httpMethod.PUT,"/warehouses/**").access(oauthScopeWrite) .anyRequest().denyAll();这对两个端口都有影响:/ info和/ health是未经授权的,而/ warehouses需要身份验证,其他一切也需要身份验证(返回401,但是在使用身份验证调用时,它返回403).
由于公共端口上没有/ info或/ health,因此未经授权的用户返回404,而其他所有用户返回401.我对此不满意并希望拥有
>在公共端口上,要求对所有内容进行身份验证(并且仅在经过身份验证后返回404或403)
>在管理端口上,根本不需要身份验证(对于不是其中一个配置端点的所有内容,返回404).
我在Spring Security Javadocs或reference documentation中找不到任何有关端口的信息.
我能在这做什么?
最佳答案我找到了解决方案:这里的authorizeRequests()方法返回一个ExpressionUrlAuthorizationConfigurer< HttpSecurity> .ExpressionInterceptUrlRegistry,它(从其祖先类AbstractRequestMatcherRegistry)旁边的一些antMatchers方法也是一个通用的requestMatchers()方法,它接受一个或多个RequestMatcher对象.事实证明这是我可以自己实现的界面:
/** * A request matcher which matches just a port. * * @param port the port to match. * * @return the new matcher. */private RequestMatcher forPort(final int port) { return (httpServletRequest request) -> port == request.getLocalPort();}(这是Java 8语法,对于以前的Java版本,您必须在此处编写任何匿名类.)
虽然requestMatchers需要几个这样的匹配器,看起来它们通过OR连接(至少this example suggests这个),因此我使用AndRequestMatcher将它连接到路径的匹配器(和http方法)).
最终代码如下所示:
@Value("${management.port}")private int managementPort;@Value("${server.port}")private int APIPort;/** * Configure scopes for specific controller/httpmethods/roles here. */@OverrIDepublic voID configure(final httpSecurity http) throws Exception { //J- http .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER) .and() .authorizeRequests() .requestMatchers(forPortAndpath(managementPort,"/info")).anonymous() .requestMatchers(forPortAndpath(managementPort,"/health")).anonymous() .requestMatchers(forPortAndpath(APIPort,httpMethod.GET,"/warehouses/**")).access(oauthScopeRead) .requestMatchers(forPortAndpath(APIPort,httpMethod.PUT,"/warehouses/**")).access(oauthScopeWrite) .anyRequest().denyAll(); //J+}/** * Creates a request matcher which only matches requests for a specific local port and path (using an * {@link AntPathRequestMatcher} for the path part). * * @param port the port to match * @param pathPattern the pattern for the path. * * @return the new request matcher. */private RequestMatcher forPortAndpath(final int port,@Nonnull final String pathPattern) { return new AndRequestMatcher(forPort(port),new AntPathRequestMatcher(pathPattern));}/** * Creates a request matcher which only matches requests for a specific local port,path and request method (using * an {@link AntPathRequestMatcher} for the path part). * * @param port the port to match * @param pathPattern the pattern for the path. * @param method the httpMethod to match. Requests for other methods will not be matched. * * @return the new request matcher. */private RequestMatcher forPortAndpath(final int port,@Nonnull final httpMethod method,new AntPathRequestMatcher(pathPattern,method.name()));}/** * A request matcher which matches just a port. * * @param port the port to match. * * @return the new matcher. */private RequestMatcher forPort(final int port) { return (httpServletRequest request) -> { return port == request.getLocalPort(); };}这并没有完全反映这个问题:managementPort在这里只有“/ info”和“/ health”公共可达,而不是一切.
你可以用它
.requestMatchers(forPort(managementPort)).anonymous()使这个端口完全未经授权. 总结
以上是内存溢出为你收集整理的java – 如何告诉spring security仅为特定端口应用authorizeRequests?全部内容,希望文章能够帮你解决java – 如何告诉spring security仅为特定端口应用authorizeRequests?所遇到的程序开发问题。
如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)