对于最新的稳定版本，请使用 Spring Security 6.4.5！spring-doc.cadn.net.cn

Kotlin 配置

Spring Security 提供了一个示例应用程序来演示 Spring Security Kotlin 配置的使用。spring-doc.cadn.net.cn

HttpSecurity 安全

Spring Security 如何知道我们要要求所有用户都经过身份验证？ Spring Security 如何知道我们想要支持基于表单的身份验证？有一个配置类（称为SecurityFilterChain），该 API 的调用正在后台调用。它使用以下默认实现进行配置：spring-doc.cadn.net.cn

import org.springframework.security.config.annotation.web.invoke

@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
   http {
        authorizeRequests {
            authorize(anyRequest, authenticated)
        }
       formLogin { }
       httpBasic { }
    }
    return http.build()
}









Make sure that import the invoke function in your class, sometimes the IDE will not auto-import it causing compilation issues.





The default configuration (shown in the preceding listing):spring-doc.cadn.net.cn




Ensures that any request to our application requires the user to be authenticatedspring-doc.cadn.net.cn


Lets users authenticate with form-based loginspring-doc.cadn.net.cn


Lets users authenticate with HTTP Basic authenticationspring-doc.cadn.net.cn




Note that this configuration is parallels the XML namespace configuration:spring-doc.cadn.net.cn



<http>
	<intercept-url pattern="/**" access="authenticated"/>
	<form-login />
	<http-basic />
</http>



Multiple HttpSecurity Instances


We can configure multiple HttpSecurity instances, just as we can have multiple <http> blocks.
The key is to register multiple SecurityFilterChain @Beans.
The following example has a different configuration for URL’s that start with /api/:spring-doc.cadn.net.cn



@Configuration
import org.springframework.security.config.annotation.web.invoke

@EnableWebSecurity
class MultiHttpSecurityConfig {
    @Bean                                                            (1)
    public fun userDetailsService(): UserDetailsService {
        val users: User.UserBuilder = User.withDefaultPasswordEncoder()
        val manager = InMemoryUserDetailsManager()
        manager.createUser(users.username("user").password("password").roles("USER").build())
        manager.createUser(users.username("admin").password("password").roles("USER","ADMIN").build())
        return manager
    }

    @Order(1)                                                        (2)
    @Bean
    open fun apiFilterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            securityMatcher("/api/**")                               (3)
            authorizeRequests {
                authorize(anyRequest, hasRole("ADMIN"))
            }
            httpBasic { }
        }
        return http.build()
    }

    @Bean                                                            (4)
    open fun formLoginFilterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            authorizeRequests {
                authorize(anyRequest, authenticated)
            }
            formLogin { }
        }
        return http.build()
    }
}






1
Configure Authentication as usual.


2
Create an instance of SecurityFilterChain that contains @Order to specify which SecurityFilterChain should be considered first.


3
The http.antMatcher states that this HttpSecurity is applicable only to URLs that start with /api/


4
Create another instance of SecurityFilterChain.
If the URL does not start with /api/, this configuration is used.
This configuration is considered after apiFilterChain, since it has an @Order value after 1 (no @Order defaults to last).

1	Configure Authentication as usual.
2	Create an instance of `SecurityFilterChain` that contains `@Order` to specify which `SecurityFilterChain` should be considered first.
3	The `http.antMatcher` states that this `HttpSecurity` is applicable only to URLs that start with `/api/`
4	Create another instance of `SecurityFilterChain`. If the URL does not start with `/api/`, this configuration is used. This configuration is considered after `apiFilterChain`, since it has an `@Order` value after `1` (no `@Order` defaults to last).