All geek questions in one place

How to order multiple <http> elements in Spring Security distributed across multiple files

In Spring Security, you can specify multiple configurations <http>that lead to multiple SecurityFilterChains. I use this function to protect the Rest API other than a regular web application. Both web applications and other api are developed in different modules (maven artifacts). Spring configurations are built using a wildcard pattern throughout the class ( classpath*:/some-common-config-path/*.xml) path .

Security-Config for web application in web-security-config.xml:

<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://cxf.apache.org/configuration/beans http://cxf.apache.org/schemas/configuration/cxf-beans.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">

  <!-- Security Config for web app -->
  <http use-expressions="true" auto-config="false" entry-point-ref="loginEntryPoint">
       ...
  </http>

  <!-- Security Config for static resources -->
  <http pattern="/static/**" security="none" />

  ...

</beans:beans>

Security-Config for Rest API in api-security-config.xml:

<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://cxf.apache.org/configuration/beans http://cxf.apache.org/schemas/configuration/cxf-beans.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">

  <http pattern="/api/**" use-expressions="true" create-session="stateless"
        authentication-manager-ref="apiAuthManager" entry-point-ref="restAuthenticationEntryPoint">
      <intercept-url pattern="/api/**" access="hasRole('REST_API')" />
      <http-basic />
  </http>

  ...

</beans:beans>

, , . api-security-config.xml web-security-config.xml, :

java.lang.IllegalArgumentException: ('/**') , . , FilterChainProxy bean

, , <http>, . ?

+4
1

Spring XML , , XML . :

/some -common-config-path/security.xml, , ( ) :

<import resource="/not-common-config-path/api-security-config.xml"/>
<import resource="/not-common-config-path/web-security-config.xml"/>

Spring Security 3.2 Java @Order. :

@Configuration
@EnableWebSecurity
public class MultiHttpSecurityConfig {
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) { 
        auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER");
    }

    @Configuration
    @Order(1)                                                        
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/api/**")                               
                .authorizeRequests()
                    .anyRequest().hasRole("ADMIN")
                    .and()
                .httpBasic();
        }
    }

    @Configuration                                                   
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests()
                    .anyRequest().authenticated()
                    .and()
                .formLogin();
        }
    }
}

, .

Java, . , XML- , Java com.example.config, :

<!-- 
    enable processing of annotations such as @Autowired and @Configuration
    You may already have annotation-config
 -->
<context:annotation-config/>
<!-- Add any Java Configuration -->
<context:component-scan base-package="com.example.config"/>

XML Java Java XML .

+4

Source: https://habr.com/ru/post/1524484/

More articles:


All Articles