根据客户端启用 Spring 安全认证 URL
Enable Spring Security authentication depending on client URL
我有一个使用 JWT 身份验证的 Spring 应用程序。
我想知道您是否有可能根据哪个客户端访问我的后端来释放路由,例如:
clientA:8080 - 允许 /health 路由,无需身份验证clientB:8081 - 具有 /health 未经 JWT 身份验证不允许的路由。
我试过这样的事情:
http.authorizeRequests().antMatchers("http://clientA/health").permitAll()
但是没用。
我强烈反对这种不是强身份验证机制的身份验证。但是,您可以像进行多重身份验证一样实现。基本上你需要多个 WebSecurityConfigurerAdapter with a requestMatcher.
这是一个快速示例(不要这样做):
安全配置
@Configuration
@EnableWebSecurity
public class SecurityConfigurations {
@Configuration
@Order(1)
public static class NoAuth extends WebSecurityConfigurerAdapter {
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.requestMatcher(r -> r.getRequestURL().toString().startsWith("http://localhost:8081"))
.authorizeRequests()
.anyRequest().permitAll();
}
}
@Configuration
@Order(2)
public static class Auth extends WebSecurityConfigurerAdapter {
@Override
protected void configure(final HttpSecurity http) throws Exception {
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
final byte[] salt = "random".getBytes(StandardCharsets.UTF_8);
KeySpec spec = new PBEKeySpec("password".toCharArray(), salt, 65536, 256);
SecretKey key = new SecretKeySpec(factory.generateSecret(spec).getEncoded(), "AES");
System.out.println(Base64.getEncoder().encodeToString(key.getEncoded()));
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.decoder(NimbusJwtDecoder.withSecretKey(key).build());
}
}
}
应用配置:
@SpringBootApplication
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
@Bean
public ServletWebServerFactory serverContainer() {
TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
tomcat.addAdditionalTomcatConnectors(createConnector());
return tomcat;
}
private Connector createConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
connector.setPort(8081);
connector.setScheme("http");
connector.setSecure(false);
return connector;
}
}
控制器
@RestController
public class HealthApi {
@GetMapping("/health")
public String health() {
return "healthy";
}
}
你可以用curl测试一下:
curl -v localhost:8081/health
200 OK 健康
curl -v localhost:8080/health
401
curl -v -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.LUn3qZESwtUIbXrD3WSd3CNEOTwbKV9x2IahoLUCyAs" localhost:8080/health
200 OK 健康
我有一个使用 JWT 身份验证的 Spring 应用程序。
我想知道您是否有可能根据哪个客户端访问我的后端来释放路由,例如:
clientA:8080- 允许/health路由,无需身份验证clientB:8081- 具有/health未经 JWT 身份验证不允许的路由。
我试过这样的事情:
http.authorizeRequests().antMatchers("http://clientA/health").permitAll()
但是没用。
我强烈反对这种不是强身份验证机制的身份验证。但是,您可以像进行多重身份验证一样实现。基本上你需要多个 WebSecurityConfigurerAdapter with a requestMatcher.
这是一个快速示例(不要这样做):
安全配置
@Configuration
@EnableWebSecurity
public class SecurityConfigurations {
@Configuration
@Order(1)
public static class NoAuth extends WebSecurityConfigurerAdapter {
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.requestMatcher(r -> r.getRequestURL().toString().startsWith("http://localhost:8081"))
.authorizeRequests()
.anyRequest().permitAll();
}
}
@Configuration
@Order(2)
public static class Auth extends WebSecurityConfigurerAdapter {
@Override
protected void configure(final HttpSecurity http) throws Exception {
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
final byte[] salt = "random".getBytes(StandardCharsets.UTF_8);
KeySpec spec = new PBEKeySpec("password".toCharArray(), salt, 65536, 256);
SecretKey key = new SecretKeySpec(factory.generateSecret(spec).getEncoded(), "AES");
System.out.println(Base64.getEncoder().encodeToString(key.getEncoded()));
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.decoder(NimbusJwtDecoder.withSecretKey(key).build());
}
}
}
应用配置:
@SpringBootApplication
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
@Bean
public ServletWebServerFactory serverContainer() {
TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
tomcat.addAdditionalTomcatConnectors(createConnector());
return tomcat;
}
private Connector createConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
connector.setPort(8081);
connector.setScheme("http");
connector.setSecure(false);
return connector;
}
}
控制器
@RestController
public class HealthApi {
@GetMapping("/health")
public String health() {
return "healthy";
}
}
你可以用curl测试一下:
curl -v localhost:8081/health
200 OK 健康
curl -v localhost:8080/health
401
curl -v -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.LUn3qZESwtUIbXrD3WSd3CNEOTwbKV9x2IahoLUCyAs" localhost:8080/health
200 OK 健康