Spring Security配置-HttpSecurity与WebSecurity [英] Spring Security Configuration - HttpSecurity vs WebSecurity

问题描述

我只需要了解Spring Security Configuration中的内容.使用下面的示例...

I just need to understand something in Spring Security Configuration. Using the example below...

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .httpBasic()
            .and()
            .authorizeRequests().antMatchers("/secret/**").authenticated()
            .and()
            .authorizeRequests().antMatchers("/**").permitAll();
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**");
    }

}

configure(WebSecurity web)方法的目的是什么?

What is the purpose of configure(WebSecurity web) method?

我不能只在.authorizeRequests().antMatchers("/**", "/resources/**").permitAll();行的configure(HttpSecurity http)方法中添加/resources/** 它不应该一样工作，即允许所有对/resources/**的请求都不需要任何身份验证吗?

Can't I just add /resources/** in the configure(HttpSecurity http) method in this line .authorizeRequests().antMatchers("/**", "/resources/**").permitAll(); Shouldn't it work the same i.e. permitting all requests to /resources/** without any authentication?

推荐答案

WebSecurity ignoring()方法的常规用法省略了Spring Security ，并且Spring Security的任何功能均不可用. WebSecurity基于HttpSecurity.

General use of WebSecurity ignoring() method omits Spring Security and none of Spring Security’s features will be available. WebSecurity is based above HttpSecurity.

@Override
public void configure(WebSecurity web) throws Exception {
    web
        .ignoring()
        .antMatchers("/resources/**")
        .antMatchers("/publics/**");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers("/admin/**").hasRole("ADMIN")
        .antMatchers("/publics/**").hasRole("USER") // no effect
        .anyRequest().authenticated();
}

上面示例中的

WebSecurity允​​许Spring忽略/resources/**和/publics/**.因此，HttpSecurity中的.antMatchers("/publics/**").hasRole("USER")是未考虑的.

WebSecurity in the above example lets Spring ignore /resources/** and /publics/**. Therefore the .antMatchers("/publics/**").hasRole("USER") in HttpSecurity is unconsidered.

这将完全忽略安全性过滤器链中的请求模式. 请注意，与此路径匹配的所有内容都将不应用身份验证或授权服务，并且可以自由访问.

This will omit the request pattern from the security filter chain entirely. Note that anything matching this path will then have no authentication or authorization services applied and will be freely accessible.

configure(HttpSecurity)允许基于选择匹配在资源级别上配置基于Web的安全性-例如下面的示例将以/admin/开头的URL限制为具有 ADMIN角色的用户，并声明需要成功验证其他所有URL.

configure(HttpSecurity) allows configuration of web-based security at a resource level, based on a selection match - e.g. The example below restricts the URLs that start with /admin/ to users that have ADMIN role, and declares that any other URLs need to be successfully authenticated.

configure(WebSecurity)用于影响全局安全性的配置设置(忽略资源，设置调试模式，通过实现自定义防火墙定义拒绝请求).例如，以下方法将导致出于身份验证目的而忽略以开始的以/resources/开头的所有请求.

configure(WebSecurity) is used for configuration settings that impact global security (ignore resources, set debug mode, reject requests by implementing a custom firewall definition). For example, the following method would cause any request that starts with /resources/ to be ignored for authentication purposes.

这篇关于Spring Security配置-HttpSecurity与WebSecurity的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！