SpringFramework/Spring Security
Multiple SecurityChain
Drawhale
2023. 7. 9. 14:06
Multiple SecurityChain
이전에 하나로 작성한 SecurityFilterChain을 연달아서 정의할 수도 있다. 각각의 filter의 이름은 달라야하며 @Order라는 Annotation으로 Filter등록 순서를 정할 수 있다. 낮은 순서가 우선시 된다.
@Configuration
@EnableWebSecurity
public class SecurityConfiguration {
@Bean
@Order(100)
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.securityMatcher("/user")
.authorizeHttpRequests(authorize -> {
authorize.requestMatchers(HttpMethod.GET, "/").permitAll();
authorize.requestMatchers(HttpMethod.GET, "/user/**").hasAnyAuthority("ROLE_ADMIN", "ROLE_USER", "OIDC_USER");
authorize.anyRequest().authenticated();
})
.formLogin(withDefaults());
return http.build();
}
@Bean
@Order(101)
SecurityFilterChain securityFilterChainAdmin(HttpSecurity http) throws Exception {
http
.securityMatcher("/admin")
.authorizeHttpRequests(authorize -> {
authorize.requestMatchers("/admin/**").hasAnyAuthority("ROLE_ADMIN");
authorize.anyRequest().authenticated();
})
.formLogin(withDefaults());
return http.build();
}
@Bean
@Order(102)
SecurityFilterChain securityFilterChainHome(HttpSecurity http) throws Exception {
http
.securityMatcher("/")
.authorizeHttpRequests(authorize -> {
authorize.anyRequest().permitAll();
})
.formLogin(withDefaults());
return http.build();
}
@Bean
@Order(103)
SecurityFilterChain securityFilterChainOther(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> {
authorize.anyRequest().denyAll();
})
.formLogin(withDefaults());
return http.build();
}
@Bean
JdbcUserDetailsManager jdbcUserDetailsManager(DataSource dataSource) {
return new JdbcUserDetailsManager(dataSource);
}
@Bean
DataSource dataSource() {
return DataSourceBuilder.create()
.driverClassName("org.h2.Driver")
.url("jdbc:h2:mem:testdb")
.username("sa")
.password("")
.build();
}
}@Order는 Bean생성 순서에 영향을 미치므로 주의해서 사용해야 한다.
반응형