春のSecurityConfigを分割することはできますか？

Question

私はchildAとchildBというプロジェクトを持っています。

childAコントローラのセキュリティをchildAとchildBコントローラに設定する場合は、childBにしてください。

これまでのところ私は、次のSecurityConfigがあります

@Configuration 
@EnableWebSecurity 
@EnableGlobalMethodSecurity(prePostEnabled = true) 
public class SecurityConfig extends WebSecurityConfigurerAdapter { 


    @Autowired 
    private CookieProperties cookieProperties; 

    @Autowired 
    private LdapUserDetailsManager userDetailsService; 

    @Autowired 
    private AuthenticationSuccessHandler authenticationSuccessHandler; 

    @Autowired 
    private AuthenticationEntryPoint authenticationEntryPoint; 

    @Autowired 
    private AuthenticationFailureHandler authenticationFailureHandler; 

    @Autowired 
    private AccessDeniedHandler accessDeniedHandler; 

    @Autowired 
    private LogoutSuccessHandler logoutSuccessHandler; 

    @Autowired 
    private LdapProperties ldapProperties; 

    @Autowired 
    private Environment environment; 


    @Bean(name = BeanIds.AUTHENTICATION_MANAGER) 
    @Override 
    public AuthenticationManager authenticationManagerBean() throws Exception { 
     return super.authenticationManagerBean(); 
    } 

    @Bean 
    public LdapDaoAuthenticationProvider ldapDaoAuthenticationProvider(LdapProperties ldapProperties) { 
     LdapDaoAuthenticationProvider provider = new LdapDaoAuthenticationProvider(); 
     provider.setUserDetailsService(userDetailsService); 
     provider.setLdapProperties(ldapProperties); 
     provider.setPasswordEncoder(passwordEncoder()); 
     return provider; 
    } 

    @Override 
    protected void configure(AuthenticationManagerBuilder auth) throws Exception { 

      auth.authenticationProvider(ldapDaoAuthenticationProvider(ldapProperties)); 

    } 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http 
      .requestMatcher(
       // how to move this in another file ? 
       new OrRequestMatcher(
        new AntPathRequestMatcher(ChildAHttpPathStore.PATH_SOMETHING), 
        new AntPathRequestMatcher(ChildBHttpPathStore.PATH_SOMETHING), 
       ) 
      ) 
      .sessionManagement() 
       .sessionCreationPolicy(SessionCreationPolicy.NEVER) 
       .and() 
      .csrf() 
       .csrfTokenRepository(corsCookieCsrfTokenRepository()) 
       .and() 
      .authorizeRequests() 
       .antMatchers(HttpMethod.GET, CoreHttpPathStore.PING).permitAll() 
       .anyRequest().hasAnyAuthority(
         UserManagement.ROLE_AUTH_SERVICE 
       ) 
      .and() 
       .exceptionHandling() 
       .accessDeniedHandler(accessDeniedHandler) 
       .authenticationEntryPoint(authenticationEntryPoint) 
      .and() 
       .formLogin() 
       .loginProcessingUrl(CoreHttpPathStore.LOGIN) 
       .successHandler(authenticationSuccessHandler) 
       .failureHandler(authenticationFailureHandler) 
       .permitAll() 
      .and() 
       .logout() 
       .logoutUrl(CoreHttpPathStore.LOGOUT) 
       .logoutSuccessUrl(CoreHttpPathStore.LOGIN_FROM_LOGOUT) 
       .logoutSuccessHandler(logoutSuccessHandler) 
       .permitAll() 
      .and() 
       .headers().cacheControl().disable(); 
    } 

    @Bean(name = "userPasswordEncoder") 
    public LdapShaPasswordEncoder passwordEncoder() { 
     return new LdapShaPasswordEncoder(); 
    } 

    @Bean 
    public CookieSerializer cookieSerializer() { 
     DefaultCookieSerializer serializer = new DefaultCookieSerializer(); 
     if (null != cookieProperties.getName()) { serializer.setCookieName(cookieProperties.getName()); } 
     if (null != cookieProperties.getPath()) { serializer.setCookiePath(cookieProperties.getPath()); } 
     if (null != cookieProperties.getHttpOnly()) { serializer.setUseHttpOnlyCookie(cookieProperties.getHttpOnly()); } 
     if (null != cookieProperties.getMaxAge()) { serializer.setCookieMaxAge(cookieProperties.getMaxAge()); } 
     if (null != cookieProperties.getSecure()) { serializer.setUseSecureCookie(cookieProperties.getSecure()); } 
     if (null != cookieProperties.getDomain()) { serializer.setDomainName(cookieProperties.getDomain()); } 
     return serializer; 
    } 

    @Bean 
    public CorsCookieCsrfTokenRepository corsCookieCsrfTokenRepository(){ 
     CorsCookieCsrfTokenRepository repository = new CorsCookieCsrfTokenRepository(); 
     repository.setCookieHttpOnly(false); 
     repository.setHeaderName("X-XSRF-TOKEN"); 
     repository.setCookiePath(cookieProperties.getPath()); 
     repository.setCookieDomain(cookieProperties.getDomain()); 
     repository.setCookieName("XSRF-TOKEN"); 
     return repository; 
    } 

} 

は、この設定を分割することが可能ですか？

Answer 1

あなたが複数記述する必要がある場合はHttpSecurityによるspring security docsに最も簡単なあなたは、どこインポートする@importを分離して使用することができますHttpSecurity

@EnableWebSecurity 
public class MultiHttpSecurityConfig { 
    @Bean 
    public UserDetailsService userDetailsService() throws Exception { 
     InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager(); 
     manager.createUser(User.withUsername("user").password("password").roles("USER").build()); 
     manager.createUser(User.withUsername("admin").password("password").roles("USER","ADMIN").build()); 
     return manager; 
    } 

    @Configuration 
    @Order(1)               
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { 
     protected void configure(HttpSecurity http) throws Exception { 
      http 
       .antMatcher("/api/**")        
       .authorizeRequests() 
        .anyRequest().hasRole("ADMIN") 
        .and() 
       .httpBasic(); 
     } 
    } 

    @Configuration             
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { 

     @Override 
     protected void configure(HttpSecurity http) throws Exception { 
      http 
       .authorizeRequests() 
        .anyRequest().authenticated() 
        .and() 
       .formLogin(); 
     } 
    } 
}