我试图将XML中的实际安全配置传递给Java,但我不知道为什么在两个过滤器中有两个UserdetailsService,过滤器总是使用相同的UserdetailsService。
XML配置:
auto-config="false">
auto-config="false">
auto-config="false">
Java配置:
@EnableWebSecurity
public class SecurityConfig {
@Autowired
private CustomUserAppDetailsService customUserAppDetailsService;
@Autowired
private CustomRefreshTokenAppDetailsService customRefreshTokenAppDetailsService;
@Autowired
private CustomAccessTokenAppDetailsService customAccessTokenAppDetailsService;
@Bean
public TokenAuthenticationEntryPoint tokenAuthenticationEntryPoint(){
return new TokenAuthenticationEntryPoint();
}
@Configuration
@Order(1)
public class RefreshTokenSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
public AuthenticationManager refresTokenAuthenticationManager() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public RefreshTokenAuthenticationFilter refreshTokenAuthenticationFilter(){
return new RefreshTokenAuthenticationFilter();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider ();
authenticationProvider.setUserDetailsService(customRefreshTokenAppDetailsService);
http
.csrf().disable()
.antMatcher("/v1/Login/refresh/**")
.userDetailsService(customRefreshTokenAppDetailsService)
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling()
.authenticationEntryPoint(tokenAuthenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers("/v1/Login/refresh/**").access("hasRole('ROLE_USER')")
.and()
.requiresChannel()
.antMatchers("/v1/Login/refresh/**").requiresSecure()
.and()
.addFilterBefore(refreshTokenAuthenticationFilter(), BasicAuthenticationFilter.class);
}
}
@Configuration
@Order(2)
public class LoginSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider ();
authenticationProvider.setUserDetailsService(customUserAppDetailsService);
authenticationProvider.setPasswordEncoder(new Md5PasswordEncoder());
http
.csrf().disable()
.antMatcher("/v1/Login/**")
.authenticationProvider(authenticationProvider)
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests().antMatchers("/v1/Login/**").access("hasRole('ROLE_USER')")
.and()
.requiresChannel().antMatchers("/v1/Login/**").requiresSecure()
.and()
.httpBasic();
}
}
@Configuration
@Order(3)
public class UsuarioSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
public TokenAuthenticationFilter tokenAuthenticationEmpresaFilter() throws Exception {
TokenAuthenticationFilter tokenAuthenticationFilter = new TokenAuthenticationFilter();
tokenAuthenticationFilter.setAuthenticationManager(super.authenticationManager());
return tokenAuthenticationFilter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider ();
authenticationProvider.setUserDetailsService(customAccessTokenAppDetailsService);
http
.csrf().disable()
.antMatcher("/v1/UsuarioEmpresa/**")
.authenticationProvider(authenticationProvider)
.userDetailsService(customAccessTokenAppDetailsService)
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling()
.authenticationEntryPoint(tokenAuthenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers("/v1/UsuarioEmpresa/**").access("hasRole('ROLE_USER')")
.and()
.requiresChannel()
.antMatchers("/v1/UsuarioEmpresa/").requiresSecure()
.antMatchers("/v1/UsuarioEmpresa/**").requiresSecure()
.and()
.addFilterBefore(tokenAuthenticationEmpresaFilter(), BasicAuthenticationFilter.class);
}
}
}出于某种原因,http配置(顺序1和3)均使用customRefreshTokenAppDetailsService。总是使用第一个http的UserDetailsService。