Spring 安全配置 - HttpSecurity 与 WebSecurity [英] Spring Security Configuration - HttpSecurity vs WebSecurity

问题描述

我只需要了解 Spring Security Configuration 中的一些内容.使用下面的例子...

I just need to understand something in Spring Security Configuration. Using the example below...

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .httpBasic()
            .and()
            .authorizeRequests().antMatchers("/secret/**").authenticated()
            .and()
            .authorizeRequests().antMatchers("/**").permitAll();
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**");
    }

}

configure(WebSecurity web) 方法的目的是什么?

我不能在 .authorizeRequests().antMatchers("/**", "/resources/**").permitAll();难道它不应该工作相同，即允许所有请求 /resources/** 无需任何身份验证?

Can't I just add /resources/** in the configure(HttpSecurity http) method in this line .authorizeRequests().antMatchers("/**", "/resources/**").permitAll(); Shouldn't it work the same i.e. permitting all requests to /resources/** without any authentication?

推荐答案

WebSecurity ignoring() 方法的一般使用 省略了 Spring Security 并且 Spring Security 的所有功能都不会可用的.WebSecurity 基于 HttpSecurity.

General use of WebSecurity ignoring() method omits Spring Security and none of Spring Security’s features will be available. WebSecurity is based above HttpSecurity.

@Override
public void configure(WebSecurity web) throws Exception {
    web
        .ignoring()
        .antMatchers("/resources/**")
        .antMatchers("/publics/**");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers("/admin/**").hasRole("ADMIN")
        .antMatchers("/publics/**").hasRole("USER") // no effect
        .anyRequest().authenticated();
}

上面例子中的WebSecurity让Spring忽略/resources/**和/publics/**.因此，HttpSecurity 中的 .antMatchers("/publics/**").hasRole("USER") 是未考虑的.

WebSecurity in the above example lets Spring ignore /resources/** and /publics/**. Therefore the .antMatchers("/publics/**").hasRole("USER") in HttpSecurity is unconsidered.

这将完全从安全过滤器链中省略请求模式.请注意，与此路径匹配的任何内容都不会应用任何身份验证或授权服务，并且可以自由访问.

This will omit the request pattern from the security filter chain entirely. Note that anything matching this path will then have no authentication or authorization services applied and will be freely accessible.

configure(HttpSecurity) 允许基于选择匹配在资源级别配置基于 Web 的安全性 - 例如下面的示例将以 /admin/ 开头的 URL 限制为具有 ADMIN 角色的用户，并声明任何其他 URL 都需要成功通过身份验证.em>

configure(HttpSecurity) allows configuration of web-based security at a resource level, based on a selection match - e.g. The example below restricts the URLs that start with /admin/ to users that have ADMIN role, and declares that any other URLs need to be successfully authenticated.

configure(WebSecurity) 用于影响全局安全的配置设置(忽略资源、设置调试模式、通过实现自定义防火墙定义拒绝请求).例如，以下方法将导致任何以 /resources/ 开头的请求被忽略以进行身份​​验证.

configure(WebSecurity) is used for configuration settings that impact global security (ignore resources, set debug mode, reject requests by implementing a custom firewall definition). For example, the following method would cause any request that starts with /resources/ to be ignored for authentication purposes.

让我们考虑下面的代码，我们可以忽略使用这两种方法在 antMatchers 中提供的端点的身份验证.

Let's consider the below code, we can ignore the authentication for the endpoint provided within antMatchers using both the methods.

@Override
public void configure(WebSecurity web) throws Exception {
    web
        .ignoring()
        .antMatchers("/login", "/register", "/api/public/**");
}

@Override
public void configure(HttpSecurity http) throws Exception {

    http
        .csrf().disable()
        .authorizeRequests()
        .antMatchers("/login", "/register", "/api/public/**").permitAll()
        .anyRequest().authenticated();
}

• configure(WebSecurity web)此方法中使用的端点会忽略 spring 安全过滤器，也忽略安全功能(安全标头、csrf 保护等)，并且不会设置安全上下文并且无法保护端点以进行跨站点脚本、XSS 攻击、内容嗅探.

  • configure(WebSecurity web) Endpoint used in this method ignores the spring security filters, security features (secure headers, csrf protection etc) are also ignored and no security context will be set and can not protect endpoints for Cross-Site Scripting, XSS attacks, content-sniffing.

    configure(HttpSecurity http)此方法中使用的端点会忽略 antMatchers 中使用的端点的身份验证，其他安全功能将生效，例如安全标头、CSRF 保护等.

    configure(HttpSecurity http) Endpoint used in this method ignores the authentication for endpoints used in antMatchers and other security features will be in effect such as secure headers, CSRF protection, etc.

    这篇关于Spring 安全配置 - HttpSecurity 与 WebSecurity的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！