@塞图给了你解决问题的基本信息。
请考虑以下代码,该代码改编自
one of the articles
你引用了:
@SpringBootApplication
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class X509AuthenticationServer extends WebSecurityConfigurerAdapter {
...
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
// Define the mapping between the different endpoints
// and the corresponding user roles
.antMatchers("/actuator/health").hasRole("ACTUATOR_HEALTH")
.antMatchers("/actuator/prometheus").hasRole("ACTUATOR_PROMETEUS")
.antMatchers("/config/myservice").hasRole("CONFIG_MYSERVICE")
// Please, adjust the fallback as appropriate
.anyRequest().authenticated()
.and()
// Configure X509Configurer (https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configurers/X509Configurer.html)
.x509()
.subjectPrincipalRegex("CN=(.*?)(?:,|$)")
.userDetailsService(userDetailsService())
;
}
@Bean
public UserDetailsService userDetailsService() {
// Ideally this information will be obtained from a database or some
// configuration information
return new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String username) {
Objects.requireNonNull(username);
List<GrantedAuthority> authorities = null;
switch (username) {
// Match the different X509 certificate CNs. Maybe you can use the
// X509 certificate subject distinguished name to include the role in
// some way and obtain it directly with the subjectPrincipalRegex
case "Alice":
authorities = AuthorityUtils
.commaSeparatedStringToAuthorityList("ROLE_ACTUATOR_HEALTH, ROLE_CONFIG_MYSERVICE");
break;
case "Bob":
authorities = AuthorityUtils
.commaSeparatedStringToAuthorityList("ROLE_ACTUATOR_PROMETHEUS");
break;
default:
throw new UsernameNotFoundException(String.format("User '%s' not found!", username));
}
return new User(username, "", authorities);
}
};
}
}
请根据需要调整代码,以满足您的实际端点和用户。
