http.antMatcher("/**") .authorizeRequests().antMatchers("/") 中的 antMatcher("/**") 需要什么? [英] What is the need for antMatcher("/**") in http.antMatcher("/**") .authorizeRequests().antMatchers("/")?

问题描述

我正在学习 spring 安全，我从 https 中发现了这段代码://spring.io/guides/tutorials/spring-boot-oauth2/

I'm learnig spring security and I came across this piece of code from https://spring.io/guides/tutorials/spring-boot-oauth2/

 @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .antMatcher("/**")
      .authorizeRequests()
        .antMatchers("/", "/login**", "/webjars/**", "/error**")
        .permitAll()
      .anyRequest()
        .authenticated();
  }

我删除了 .antMatcher("/**") 并且代码仍然有效.我知道 ** 匹配路径中的零个或多个目录，所以我认为 antMatcher("/**").authorizeRequestes().antMatcher("/login")将直接或间接匹配根路径下的 "/login" ，即我希望它匹配像 /login 和 /demo/login 这样的路径但事实并非如此，它仅匹配根路径正下方的 /login.那么这里.antMatcher("/**")到底需要什么?

I removed .antMatcher("/**") and the code is still working. I understand ** matches zero or more directories in a path, So I thought antMatcher("/**").authorizeRequestes().antMatcher("/login") would match "/login" that is directly or indirectly under root path, ie I expected it match paths like /login and /demo/login but that's not the case, It matches only /login that's directly underneath the root path. So what exactly is the need for .antMatcher("/**") here?

推荐答案

它们是不同的东西.

• http.antMatcher() 配置此 SecurityFilterChain 将处理哪个 URL.默认是匹配所有 URL.这就是为什么如果你删除 http.antMatcher("/**") 也是一样的.

• http.antMatcher() configures which URL will be handled by this SecurityFilterChain. The default is to match all URL. That why it is the same if you remove http.antMatcher("/**").

http.authorizeRequests() 配置 URL 的授权事项，例如是否需要进行身份验证或是否只有某些角色可以访问它等.

http.authorizeRequests() configures the authorisation matter for an URL such as things like if it requires to be authenticated or if only certain roles can access it etc.

因此，如果 URL 与 http.antMatcher() 不匹配，Spring 安全性将不会处理它并且 http.authorizeRequests() 将不适用于此 URL.换句话说，为了让http.authorizeRequests()中配置的URL生效，必须由Spring Security处理，并在http.antMatcher()中进行匹配

So if an URL does not matched with http.antMatcher() , Spring security will not handle it and http.authorizeRequests() will not apply to this URL. In other words , in order to have the URL configured in http.authorizeRequests() to take effect , it should be handled by Spring Security and matched in http.antMatcher() too.

这篇关于http.antMatcher("/**") .authorizeRequests().antMatchers("/") 中的 antMatcher("/**") 需要什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！