经过大量阅读后,我发现了一些对我有用的东西:
@Configuration@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)@EnableGlobalMethodSecurity(securedEnabled = true)public class WebSecurityConfiguration extends GlobalAuthenticationConfigurerAdapter { @Resource(name = "customUserDetailsService") protected CustomUserDetailsService customUserDetailsService; @Resource private DataSource dataSource; @Autowired protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(customUserDetailsService); } @Configuration @Order(1) public static class ApiConfigurationAdapter extends WebSecurityConfigurerAdapter { @Resource(name = "restUnauthorizedEntryPoint") private RestUnauthorizedEntryPoint restUnauthorizedEntryPoint; @Resource(name = "restAccessDeniedHandler") private RestAccessDeniedHandler restAccessDeniedHandler; @Override protected void configure(HttpSecurity http) throws Exception { SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityXAuthConfigurerAdapter = new XAuthTokenConfigurer( userDetailsServiceBean()); // @formatter:off http .antMatcher("/api/**").csrf().disable() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .exceptionHandling() .authenticationEntryPoint(restUnauthorizedEntryPoint) .accessDeniedHandler(restAccessDeniedHandler) .and() .authorizeRequests() .antMatchers(HttpMethod.POST, "/api/authenticate").permitAll() .anyRequest().hasRole("ADMIN") .and() .apply(securityXAuthConfigurerAdapter); // @formatter:on } } @Configuration @Order(2) public static class WebConfigurationAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests() .antMatchers("/", "/home").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login").permitAll() .and() .logout().permitAll() ; // @formatter:on } }}
