引言
最近有一个需求,就是公开外部api,需要用到基本认证。但是本身已经使用了表单认证,那如何表单认证跟基本认证混合呢。
spring-security.xml中添加基本认证
如下。可以看到Spring security支持多个http标签,分别处理基本认证跟表单认证。添加http-basic,则自动配置基本认证策略。
<!--基本认证 -->
<security:http pattern="/basic/**" use-expressions="true">
<security:intercept-url pattern="/basic/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!--表单认证 -->
<security:http pattern="/**" auto-config="true" use-expressions="true">
<security:csrf disabled="true" />
<security:intercept-url pattern="/my-login.jsp" access="permitAll" />
<security:intercept-url pattern="/loginfail.jsp" access="permitAll" />
<security:intercept-url pattern="/indicator" access="permitAll" />
<security:intercept-url pattern="/admin/**" access="hasAuthority('admin')"/>
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:form-login login-page="/my-login.jsp"
authentication-failure-handler-ref="authenticationFailureHandler"
authentication-success-handler-ref="authenticationSuccessHandler" />
<security:logout logout-url="/logout"/>
</security:http>
但是这里有个坑,就是http pattern="/basic/**"这个地方,必须指定pattern属性。
不指定则默认处理/**,也就是所有的url,导致表单认证无效。重启服务器会导致以下错误。
Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your namespace or FilterChainProxy bean configuration
