示例:
@EnableWebSecurity
@Order(SecurityProperties.BASIC_AUTH_ORDER)
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class MultiHttpSecurityConfiguration {
private final UsersClient usersClient;
@Autowired
public MultiHttpSecurityConfiguration(UsersClient usersClient) {
this.usersClient = usersClient;
}
@Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(authProvider());
}
@Bean
public UserDetailsService customUserDetailsService() {
CustomUserDetailsService customUserDetailsService = new CustomUserDetailsService();
customUserDetailsService.setUsersClient(usersClient);
return customUserDetailsService;
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public AuthenticationProvider authProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(customUserDetailsService());
authProvider.setPasswordEncoder(passwordEncoder());
return authProvider;
}
@Configuration
@Order(2)
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
private final AccessDeniedHandler accessDeniedHandler;
private final UserDetailsService customUserDetailsService;
@Autowired
public FormLoginWebSecurityConfigurerAdapter(AccessDeniedHandler accessDeniedHandler, UserDetailsService customUserDetailsService) {
this.accessDeniedHandler = accessDeniedHandler;
this.customUserDetailsService = customUserDetailsService;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/personal/**").authenticated()
.antMatchers("/t/**").hasRole("TEACHER")
.antMatchers("/login**").permitAll()
.anyRequest().permitAll()
.and()
.rememberMe()
.rememberMeParameter("remember-me")
.key("uniqueSecretUsedForGenerateToken")
.tokenValiditySeconds(86400)
.userDetailsService(customUserDetailsService)
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/doLogin")
.successForwardUrl("/login-success")
.failureUrl("/login?error=1")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/") //退出登录后的默认网址是”/”
.clearAuthentication(true)
.invalidateHttpSession(true)
.and()
.exceptionHandling()
.accessDeniedHandler(accessDeniedHandler)
.and()
.csrf().disable();
}
}
@Configuration
@Order(1) // Order(1) 优先级高
public static class AdminLoginSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
private final AccessDeniedHandler customAccessDeniedHandler;
private final UserDetailsService customUserDetailsService;
@Autowired
public AdminLoginSecurityConfigurationAdapter(AccessDeniedHandler customAccessDeniedHandler, UserDetailsService customUserDetailsService) {
this.customAccessDeniedHandler = customAccessDeniedHandler;
this.customUserDetailsService = customUserDetailsService;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/admin/**")
.authorizeRequests()
.antMatchers("/login", "/admin/login", "/admin/doLogin", "/admin/logout").permitAll()
.anyRequest().access("not( hasAnyRole('STUDENT', 'TEACHER') ) and isAuthenticated()")
.and()
.rememberMe()
.rememberMeParameter("remember-me")
.key("uniqueSecretUsedForGenerateToken")
.tokenValiditySeconds(86400)
.userDetailsService(customUserDetailsService)
.and()
.formLogin()
.loginPage("/admin/login")
.loginProcessingUrl("/admin/doLogin")
.defaultSuccessUrl("/admin")
.failureUrl("/admin/login?error=1")
.permitAll()
.and()
.logout()
.logoutUrl("/admin/logout")
.logoutSuccessUrl("/admin/login")
.clearAuthentication(true)
.invalidateHttpSession(true)
.and()
.exceptionHandling()
.accessDeniedHandler(customAccessDeniedHandler)
// .accessDeniedPage("/403")
.and()
.csrf().disable();
}
}
}