logo标签列表

使用HTTP Basic和OIDC Bearer令牌进行Spring Security身份验证

javaspring-bootauthenticationspring-securitybearer-token
3

我正在开发一个web应用程序,使用的是Spring Boot 2.4.1和Spring Security 5.4.2。我需要同时提供HTTP基本身份验证和Bearer令牌身份验证(对于每个API调用,从SPA发送JWT访问令牌)。

所有API URL都以路径/api开头,并且必须使用Bearer令牌进行身份验证,除了两个URL(/api/func1/api/func2),这两个URL必须使用HTTP Basic身份验证。

问题在于如果我激活了扩展WebSecurityConfigurerAdapter的类来进行HTTP Basic身份验证,则Bearer令牌身份验证就会被跳过。

@Configuration
@EnableWebSecurity
@ConditionalOnProperty(name = "auth.enable", matchIfMissing = true)
@Order(1)
public class HttpBasicSecurityConfiguration extends WebSecurityConfigurerAdapter {

    private final RestBasicAuthEntryPoint authenticationEntryPoint;
    private final DataSource dataSource;

    @Autowired
    public HttpBasicSecurityConfiguration(final RestBasicAuthEntryPoint authenticationEntryPoint,
                                          final DataSource dataSource) {
        super();
        this.authenticationEntryPoint = authenticationEntryPoint;
        this.dataSource = dataSource;
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests().antMatchers({"/api/func1/**","/api/func2/**"}).authenticated()
            .and()
            .httpBasic()
            .authenticationEntryPoint(authenticationEntryPoint);
    }

    @Override
    protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
        // Usernames, passwords and roles are stored into USERS and AUTHORITIES tables
        auth.jdbcAuthentication()
            .passwordEncoder(passwordEncoder())
            .dataSource(dataSource);
    }

    private PasswordEncoder passwordEncoder() {
        return PasswordEncoderFactories.createDelegatingPasswordEncoder();
    }
}

@Configuration
@EnableWebSecurity(debug=true)
@ConditionalOnProperty(name = "auth.enable", matchIfMissing = true)
@Order(2)
public class Oauth2SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    public Oauth2SecurityConfiguration(CactusSystemConfiguration systemConfiguration) {
        super();
        this.systemConfiguration = systemConfiguration;
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
            .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
            .antMatchers({"/ws/**","/api/mock/**"}).permitAll()
            .and()
            .authorizeRequests().antMatchers("/api/**").authenticated()
            .and()
            .oauth2ResourceServer().jwt();
    }
}

当调用需要使用Bearer令牌进行身份验证的方法时,Spring Security会打印以下信息:

Request received for GET '/api/genericFunc':

org.apache.catalina.connector.RequestFacade@517df0fb

servletPath:/api/genericFunc
pathInfo:null
headers: 
host: devbox:8080
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate
authorization: Bearer eyJ0eXAiOiJ.....
connection: keep-alive
cookie: JSESSIONID=D3E8CED6AB13EFF0D15BFA6C69AFEED4; JSESSIONID=C923091B9B9E38A19106BC4F529F7D13


Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  LogoutFilter
  BasicAuthenticationFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]

很明显BearerTokenAuthenticationFilter没有加载。

如果我排除HttpBasicSecurityConfiguration运行,则会得到:

Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  LogoutFilter
  BearerTokenAuthenticationFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]

任何想法为什么会发生这种情况? 也许在Spring Security中,当具有相同祖先路径(即/api)的API使用两种不同的身份验证方法时,这是不可能的。
1个回答
3
这是因为HttpBasicSecurityConfiguration匹配了所有请求,所以只有/api/func1/**/api/func2/**需要进行HTTP基本身份验证,而其他请求则无需验证。这时Spring安全过滤器链被跳过,其他过滤器也不会被触发。
您需要限制第一个过滤器应用的请求。只需将HttpBasicSecurityConfiguration中的configure方法更改为以下内容即可:
@Override
protected void configure(final HttpSecurity http) throws Exception {
    http.csrf().disable()
            .requestMatchers().antMatchers("/api/func1/**","/api/func2/**")
            .and()
            .authorizeRequests().anyRequest().authenticated()
            .and()
            .httpBasic()
            .authenticationEntryPoint(authenticationEntryPoint);
}

请注意,.requestMatchers().antMatchers("/api/func1/**","/api/func2/**") 会在 .authorizeRequests().anyRequest() 之前应用,您可以使用任何请求,无需再次匹配URL。
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接