Spring Security-除了按角色列出的URL之外,我如何阻止访问任何URL? [英] Spring Security - How do I block access to any url except a few listed by role?

查看:102
本文介绍了Spring Security-除了按角色列出的URL之外,我如何阻止访问任何URL?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

因此,我有一个具有三个不同角色集的Web应用程序.其中一个应该允许任何人查看,即使他们没有登录也是如此.然后,用户必须登录才能看到一组页面,但是如果他们具有候选"角色,则无法访问.最后,候选人"角色只能在/candidate/ID上查看其页面

So I have this web application that has three different sets of roles. One of which should allow anyone to view even if they are not logged in. Then there are a set of pages that the user must be logged into see but if they have the role of "Candidate" they cannot access. Finally, a role of "Candidate" may be able to only view their page at /candidate/ID

除了下面列出的链接外,基本上是否有一种方法可以阻止对基本上是"/**"的任何URL的访问?还是我需要指定每个链接,例如/dashboard/profile

Basically is there a way to block access to any url basically "/**" except the links listed below? Or do I need to specify each link like /dashboard /profile 

 http.authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/index").permitAll()
            .antMatchers("/static/**").permitAll()
            .antMatchers("/assets/**").permitAll()
            .antMatchers("/register").permitAll()
            .antMatchers("/skillRequest/**").permitAll()
            .antMatchers("/skillRequest/skillFormUpdate/**").permitAll()
            .antMatchers("/password/reset").permitAll()
            .antMatchers("/password/reset/complete").permitAll()
            .antMatchers("/email/verify").permitAll()
            .antMatchers("/view/**").permitAll()
            .antMatchers("/embed/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .loginPage("/login")
            .defaultSuccessUrl("/dashboard", false) //Force user to always go to the home page.  
//                .successHandler(successHandler())
            .permitAll()
            .and()
            .httpBasic()
            .and()
            .logout()
            .permitAll();

推荐答案

要做我需要做的事情,我只需要添加

To do what I needed I just had to add

.antMatchers("/**").not().hasAuthority("ROLE_CANDIDATE")

在我想从匹配器中排除的所有网址之后

after any URL i wanted excluded from the matcher

            .antMatchers("/").permitAll()
            .antMatchers("/index").permitAll()
            .antMatchers("/static/**").permitAll()
            .antMatchers("/assets/**").permitAll()
            .antMatchers("/register").permitAll()
            .antMatchers("/skillRequest/**").permitAll()
            .antMatchers("/skillRequest/skillFormUpdate/**").permitAll()
            .antMatchers("/password/reset").permitAll()
            .antMatchers("/password/reset/complete").permitAll()
            .antMatchers("/email/verify").permitAll()
            .antMatchers("/view/**").permitAll()
            .antMatchers("/embed/**").permitAll()

这篇关于Spring Security-除了按角色列出的URL之外,我如何阻止访问任何URL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
Java开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆