创建一个过滤器,以捕获用于身份验证的标头。
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;public class APIKeyAuthFilter extends AbstractPreAuthenticatedProcessingFilter { private String principalRequestHeader; public APIKeyAuthFilter(String principalRequestHeader) { this.principalRequestHeader = principalRequestHeader; } @Override protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) { return request.getHeader(principalRequestHeader); } @Override protected Object getPreAuthenticatedCredentials(HttpServletRequest request) { return "N/A"; }}在Web安全配置中配置过滤器。
import org.springframework.beans.factory.annotation.Value;import org.springframework.context.annotation.Configuration;import org.springframework.core.annotation.Order;import org.springframework.security.authentication.AuthenticationManager;import org.springframework.security.authentication.BadCredentialsException;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;import org.springframework.security.config.http.SessionCreationPolicy;import org.springframework.security.core.Authentication;import org.springframework.security.core.AuthenticationException;@Configuration@EnableWebSecurity@Order(1)public class APISecurityConfig extends WebSecurityConfigurerAdapter { @Value("${yourapp.http.auth-token-header-name}") private String principalRequestHeader; @Value("${yourapp.http.auth-token}") private String principalRequestValue; @Override protected void configure(HttpSecurity httpSecurity) throws Exception { APIKeyAuthFilter filter = new APIKeyAuthFilter(principalRequestHeader); filter.setAuthenticationManager(new AuthenticationManager() { @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { String principal = (String) authentication.getPrincipal(); if (!principalRequestValue.equals(principal)) { throw new BadCredentialsException("The API key was not found or not the expected value."); } authentication.setAuthenticated(true); return authentication; } }); httpSecurity. antMatcher("/api/**"). csrf().disable(). sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS). and().addFilter(filter).authorizeRequests().anyRequest().authenticated(); }}
