Spring Security-除了按角色列出的URL之外,我如何阻止访问任何URL? [英] Spring Security - How do I block access to any url except a few listed by role?
问题描述
因此,我有一个具有三个不同角色集的Web应用程序.其中一个应该允许任何人查看,即使他们没有登录也是如此.然后,用户必须登录才能看到一组页面,但是如果他们具有候选"角色,则无法访问.最后,候选人"角色只能在/candidate/ID上查看其页面
So I have this web application that has three different sets of roles. One of which should allow anyone to view even if they are not logged in. Then there are a set of pages that the user must be logged into see but if they have the role of "Candidate" they cannot access. Finally, a role of "Candidate" may be able to only view their page at /candidate/ID
除了下面列出的链接外,基本上是否有一种方法可以阻止对基本上是"/**"的任何URL的访问?还是我需要指定每个链接,例如/dashboard/profile
Basically is there a way to block access to any url basically "/**" except the links listed below? Or do I need to specify each link like /dashboard /profile
http.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/index").permitAll()
.antMatchers("/static/**").permitAll()
.antMatchers("/assets/**").permitAll()
.antMatchers("/register").permitAll()
.antMatchers("/skillRequest/**").permitAll()
.antMatchers("/skillRequest/skillFormUpdate/**").permitAll()
.antMatchers("/password/reset").permitAll()
.antMatchers("/password/reset/complete").permitAll()
.antMatchers("/email/verify").permitAll()
.antMatchers("/view/**").permitAll()
.antMatchers("/embed/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/dashboard", false) //Force user to always go to the home page.
// .successHandler(successHandler())
.permitAll()
.and()
.httpBasic()
.and()
.logout()
.permitAll();
推荐答案
要做我需要做的事情,我只需要添加
To do what I needed I just had to add
.antMatchers("/**").not().hasAuthority("ROLE_CANDIDATE")
在我想从匹配器中排除的所有网址之后
after any URL i wanted excluded from the matcher
.antMatchers("/").permitAll()
.antMatchers("/index").permitAll()
.antMatchers("/static/**").permitAll()
.antMatchers("/assets/**").permitAll()
.antMatchers("/register").permitAll()
.antMatchers("/skillRequest/**").permitAll()
.antMatchers("/skillRequest/skillFormUpdate/**").permitAll()
.antMatchers("/password/reset").permitAll()
.antMatchers("/password/reset/complete").permitAll()
.antMatchers("/email/verify").permitAll()
.antMatchers("/view/**").permitAll()
.antMatchers("/embed/**").permitAll()
这篇关于Spring Security-除了按角色列出的URL之外,我如何阻止访问任何URL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!