How can I implement Basic Authentication with JWT authentication in Spring Boot?
I have built a Spring-Boot application that works with jwt authentication.
-
You will have to create two different
WebSecurityConfigurerAdapterconfigurations with different root URLs. If the URLs overlap (ie/admin and /**) then you will need to define priority by using@Orderannotation on the configuration.Here's a working example for HTTP Basic and Form based authentication.
https://github.com/ConsciousObserver/TestMultipleLoginPagesFormAndBasic.git
package com.test; import javax.servlet.http.HttpSession; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; @SpringBootApplication public class TestMultipleLoginPagesApplication { public static void main(String[] args) { SpringApplication.run(TestMultipleLoginPagesApplication.class, args); } } @Controller class MvcController { @RequestMapping(path="form/formLogin", method=RequestMethod.GET) public String formLoginPage() { return "formLogin"; } @RequestMapping(path="form/formHome", method=RequestMethod.GET) public String formHomePage() { return "formHome"; } @RequestMapping(path="basic/basicHome", method=RequestMethod.GET) public String userHomePage() { return "basicHome"; } @RequestMapping(path="basic/logout", method=RequestMethod.GET) public String userLogout(HttpSession session) { session.invalidate(); return "basicLogout"; } } @Configuration @Order(1) class FormSecurity extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/form/**") .authorizeRequests() .anyRequest().hasRole("FORM_USER") .and() .formLogin() .loginPage("/form/formLogin").permitAll() .loginProcessingUrl("/form/formLoginPost").permitAll() .defaultSuccessUrl("/form/formHome") .and() .logout().logoutUrl("/form/logout").logoutSuccessUrl("/form/formLogin") .and() .httpBasic().disable() .csrf().disable(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("user") .password("test") .roles("FORM_USER"); } } @Configuration @Order(2) class BasicAuthSecurity extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/basic/**") .authorizeRequests() .anyRequest().hasRole("BASIC_USER") .antMatchers("/basic/logout").permitAll() .and() .httpBasic() .and() .csrf().disable(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("basic_user") .password("test") .roles("BASIC_USER"); } } @Configuration @Order(3) class RootUrlSecurity extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { /* * Put any security expectations from the root URL here, currently everything is permitted. * Since it's the last in the order /form/** and /basic/** have a priority over it. */ http.antMatcher("/**") .authorizeRequests() .anyRequest().permitAll(); } }Note: Since these login pages are not from different applications, they share the SecurityContextHolder or the security context. So if you login from one login page and then try to go the protected resource of the other, you won't be redirected to the next login page. Instead you'll get the 403 (depending on the roles assigned by the different login pages). At a time only one login session can be maintained.
讨论(0)
加载中...
- 热议问题