私はhttpBasic
とformLogin
を設定する次のクラスを書いています。ただし、記載されているURLにはformLogin
認証が適用されません。上記のURLに対してはHTTPBasic
認証が動作します。親切に私は上記の構成でやっていることは、ユーザがorder(1)
に記載されているもの以外の任意のページにアクセスしている場合、私は、アプリケーションがベースのフォームを使用したい、ということで、春のセキュリティ - httpの基本とformloginを組み合わせて
import com.sun.research.ws.wadl.HTTPMethods;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@EnableWebSecurity
public class SpringSecurityConfig{
/**
@Autowired
private AuthenticationEntryPoint authEntryPoint;
@Override
protected void configure(HttpSecurity http) throws Exception {
//http.csrf().disable().authorizeRequests()
// .anyRequest().authenticated()
// .and().httpBasic()
// .authenticationEntryPoint(authEntryPoint);
http.csrf().disable().authorizeRequests()
.antMatchers(HttpMethod.GET,"/pay").permitAll()
.antMatchers(HttpMethod.GET,"/success").permitAll()
.antMatchers(HttpMethod.GET,"/cancel").permitAll()
.antMatchers(HttpMethod.POST,"/create-payment").permitAll()
.antMatchers(HttpMethod.POST,"/execute-payment").permitAll()
.antMatchers(HttpMethod.GET,"/api/ipad/sendSMS").hasRole("USER")
.antMatchers(HttpMethod.GET,"/api/ipad/deactivate").hasRole("USER")
.antMatchers(HttpMethod.GET,"/**").hasRole("USER")
.antMatchers(HttpMethod.POST,"/**").hasRole("USER")
.antMatchers(HttpMethod.PUT,"/**").hasRole("USER")
.antMatchers(HttpMethod.DELETE,"/**").hasRole("USER")
.antMatchers(HttpMethod.PATCH,"/**").hasRole("USER")
.and().httpBasic()
.authenticationEntryPoint(authEntryPoint);
}
**/
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("admin").password("123abc").roles("USER");
}
@Configuration
@Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers(HttpMethod.GET,"/pay").permitAll()
.antMatchers(HttpMethod.GET,"/success").permitAll()
.antMatchers(HttpMethod.GET,"/cancel").permitAll()
.antMatchers(HttpMethod.POST,"/create-payment").permitAll()
.antMatchers(HttpMethod.POST,"/execute-payment").permitAll()
.antMatchers(HttpMethod.GET,"/api/ipad/sendSMS").hasRole("USER")
.antMatchers(HttpMethod.GET,"/api/ipad/deactivate").hasRole("USER")
.and().httpBasic();
//.authenticationEntryPoint(authEntryPoint);
}
}
// @Configuration
// public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
//
// @Override
// protected void configure(HttpSecurity http) throws Exception {
// http.csrf().disable().authorizeRequests()
// .antMatchers(HttpMethod.GET,"/**").hasRole("USER")
// .antMatchers(HttpMethod.POST,"/**").hasRole("USER")
// .antMatchers(HttpMethod.PUT,"/**").hasRole("USER")
// .antMatchers(HttpMethod.DELETE,"/**").hasRole("USER")
// .antMatchers(HttpMethod.PATCH,"/**").hasRole("USER")
// .and().formLogin();
//// http
//// .authorizeRequests()
//// .anyRequest().authenticated()
//// .and()
//// .formLogin();
//
// }
// }
@Configuration
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// http
// .authorizeRequests()
// .anyRequest().authenticated()
// .and()
// .formLogin();
http.authorizeRequests()
.antMatchers(HttpMethod.GET,"/**").hasRole("USER")
.antMatchers(HttpMethod.POST,"/**").hasRole("USER")
.antMatchers(HttpMethod.PUT,"/**").hasRole("USER")
.antMatchers(HttpMethod.DELETE,"/**").hasRole("USER")
.antMatchers(HttpMethod.PATCH,"/**").hasRole("USER")
.and().formLogin();
}
}
}
基本的に間違ってここに何が起こっているか理解するのに役立ち認証。ただし、認証はorder(1)
ページでのみ機能し、安心して認証を適用しません。私の設定が適切でないかどうかを理解するのを助けてください。