Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Post an Article
Welcome To Ask or Share your Answers For Others

Categories

java - Spring 2 WebSecurity different Authentifications not working as intended

0 votes
476 views
in Technique[技术] by (71.8m points)

java - Spring 2 WebSecurity different Authentifications not working as intended

I'm currently struggling with the WebSecurityConfig from Spring. I do have a service which is protected with an IPAuthProvider (only whitelisted IPs can access the service). For monitoring reasons I exposed a /prometheus endpoint and I don't want the IPAuth there but only Basic Auth. However, the following code adds IPAuth AND Basic Auth to the /prometheus endpoint.

    @Configuration
    @EnableWebSecurity
    @EnableGlobalMethodSecurity(securedEnabled = true)
    public class SecurityConfig {
    
        @Order(2)
        @Configuration
        public static class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    
            private final IpAuth ipAuth;
            private final CustomAuthenticationFailureHandler failureHandler;
            private final CustomAuthenticationSuccessHandler successHandler;
    
            public WebSecurityConfig(IpAuth ipAuth,
                                    CustomAuthenticationFailureHandler failureHandler, CustomAuthenticationSuccessHandler successHandler) {
                this.ipAuth = ipAuth;
                this.failureHandler = failureHandler;
                this.successHandler = successHandler;
            }
    
    
            @Override
            protected void configure(HttpSecurity http) throws Exception {
                http
                    .authorizeRequests()
                    .antMatchers(HttpMethod.POST, "/refresh")
                    .permitAll()
                    .antMatchers("/css/*.css", "/js/*.js")
                    .permitAll()
                    .anyRequest()
                    .authenticated()
                    .and()
                    .formLogin()
                    .loginPage("/loginPage")
                    .failureHandler(failureHandler)
                    .successHandler(successHandler)
                    .and()
                    .logout()
                    .logoutUrl("/logoutPage")
                    .invalidateHttpSession(true)
                    .deleteCookies("JSESSIONID")
                    .permitAll()
                    .and()
                    .csrf()
                    .disable();
            }
    
            @Override
            public void configure(AuthenticationManagerBuilder auth) {
                auth.authenticationProvider(ipAuth);
            }
    
    
        }
    
        @Order(1)
        @Configuration
        public static class PrometheusConfig extends WebSecurityConfigurerAdapter{
    
            private final PrometheusEntryPoint prometheusEntryPoint;
    
            public PrometheusConfig(SystemConfig systemConfig, PrometheusAuthEntryPoint prometheusAuthEntryPoint){
                this.prometheusAuthEntryPoint=prometheusAuthEntryPoint;
                this.systemConfig = systemConfig;
    
            }
    
    
            @Override
            protected void configure(HttpSecurity http) throws Exception{
                
                http
                    .antMatcher("/prometheus")
                    .authorizeRequests()
                    .anyRequest()
                    .authenticated()
                    .and()
                    .httpBasic()
                        .authenticationEntryPoint(prometheusAuthEntryPoint);
    
            }
       }
}

Any help or hint is highly appreciated, I m really stuck at this point.

Thanks in advance!


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

You can configure your WebSecurityConfig in such way that processes all the request that do not start with /prometheus.

httpSecurity
     .regexMatcher("^(?!/prometheus/).*$")
     .authorizeRequests()
                .antMatchers(HttpMethod.POST, "/refresh")
                .permitAll()
                .antMatchers("/css/*.css", "/js/*.js")
                .permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                .loginPage("/loginPage")
                .failureHandler(failureHandler)
                .successHandler(successHandler)
                .and()
                .logout()
                .logoutUrl("/logoutPage")
                .invalidateHttpSession(true)
                .deleteCookies("JSESSIONID")
                .permitAll()
                .and()
                .csrf()
                .disable();

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

Just Browsing Browsing

1.4m articles

1.4m replys

5 comments

57.0k users

Most popular tags

Snow Theme by Q2A Market
Powered by Question2Answer
...