配置两个安全配置时发生未经授权的错误

cnwbcb6i  于 2021-10-10  发布在  Java
关注(0)|答案(1)|浏览(294)

此问题已在此处找到答案

Spring Security :多个http配置不工作(2个答案)
两个月前关门了。
我正在通过扩展 WebSecurityConfigurerAdaptor 如下

@Configuration
@Order(100)
public class CustomerSecurityAppConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("user1")
                .password("{noop}password")
                .and()
                .withUser("user2")
                .password("{noop}password")

    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.cors().disable();

        http
                .authorizeRequests()
                .antMatchers("/customers/**")
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                .and()
                .httpBasic();
    }
}

@Configuration
class EmployeeSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("admin")
                .password("{noop}password")
                .roles("USER", "ADMIN")
                .and()
                .withUser("user")
                .password("{noop}password")
                .roles("USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.cors().disable();

        http
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/inventory/**")
                .hasAnyRole("USER", "ADMIN")
                .antMatchers(HttpMethod.POST, "/inventory/**")
                .hasRole("ADMIN")
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                .and()
                .httpBasic();
    }
}

这里的想法是有两个 realms . 一个用于客户,一个用于订单。当我发出http请求时,我得到 200 OK 双方的回应 /inventory/customers 已为配置用户的终结点 CustomerSecurityConfiguration 得到 401 为配置的两个用户都出现错误 EmployeeSecurityConfiguration 配置我有两个rest端点 inventorycustomers 具有 GETPOST . 我哪里做错了?

twh00eeo

twh00eeo1#

我必须为http添加请求匹配器,如下所示

http
       .requestMatchers().antMatchers("/actuator/**")
       .and()
       .authorizeRequests()
       .anyRequest()
       .authenticated()
       .and()
       .formLogin()
       .and()
       .httpBasic();

相关问题