Spring Security，安全访问和非安全访问 [英] Spring Security, secured and none secured access

问题描述

我正在做一个需要先登录的小应用程序.但是对于某些 3rd 方工具，我想提供一个不需要登录的 API.登录本身工作正常，API 本身工作，但我不知道如何告诉 Spring Security，无需身份验证即可访问 API.我在这里和其他网站上检查了几个主题并尝试了不同的版本，但没有一个有效.每次尝试访问 API 时，我都会转到登录表单，必须先登录.

I'm doing a little application that requires to login first. But for some 3rd party tool, I want to provide an API that doesn't require login. The login itself works fine, the API itself works, but I can't figure out how to tell Spring Security, that the API can be accessed without the need of authentication. I checked several topics here and on other websites and tried different versions, but none worked. Everytime I try to access the API, I get forwarded to the login form and have to login first.

到目前为止，我的代码在 Spring Security 配置中看起来像这样:

My Code Looks like this so far, inside my Spring Security config:

/**
 * configuration of spring security, defining access to the website
 * 
 * @param http
 * @throws Exception 
 */
@Override
protected void configure(HttpSecurity http) throws Exception {        
    http.authorizeRequests()                
            .antMatchers("/rest/open**").permitAll()
            .antMatchers("/login**").permitAll()
            .and()
        .authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
        .formLogin()
            .loginPage("/login")
            .failureUrl("/login?error")
            .defaultSuccessUrl("/dashboard")
            .loginProcessingUrl("/j_spring_security_check")
            .usernameParameter("username")
            .passwordParameter("password")
            .and()
        .logout()
            .logoutUrl("/j_spring_security_logout")
            .logoutSuccessUrl("/login?logout")
            .and()
        .csrf();
}

还有我的控制器:

import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class PredictionOpenRestController {

    @RequestMapping("/rest/open/prediction")
    public String getPrediction() {
        return "First Try!";
    }
}

不知何故，我不得不感觉想念一些东西.

Somehow I have to feeling to miss something.

推荐答案

参见 Spring 安全参考:

我们的示例只要求对用户进行身份验证，并且对我们应用程序中的每个 URL 都进行了验证.我们可以通过向 http.authorizeRequests() 方法添加多个子项来为我们的 URL 指定自定义要求.例如:

Our examples have only required users to be authenticated and have done so for every URL in our application. We can specify custom requirements for our URLs by adding multiple children to our http.authorizeRequests() method. For example:

protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()                                                                
            .antMatchers("/resources/**", "/signup", "/about").permitAll()
            .antMatchers("/admin/**").hasRole("ADMIN")
            .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")  
            .anyRequest().authenticated()
            .and()
        // ...
        .formLogin();
}

1 http.authorizeRequests() 方法有多个子方法，每个匹配器都按照声明的顺序考虑.

1 There are multiple children to the http.authorizeRequests() method each matcher is considered in the order they were declared.

2我们指定了任何用户都可以访问的多个 URL 模式.具体来说，如果 URL 以/resources/"开头、等于/signup"或等于/about"，则任何用户都可以访问请求.

2 We specified multiple URL patterns that any user can access. Specifically, any user can access a request if the URL starts with "/resources/", equals "/signup", or equals "/about".

3任何以/admin/"开头的 URL 将仅限于具有ROLE_ADMIN"角色的用户.您会注意到，由于我们正在调用 hasRole 方法，因此不需要指定ROLE_"前缀.

3 Any URL that starts with "/admin/" will be resticted to users who have the role "ROLE_ADMIN". You will notice that since we are invoking the hasRole method we do not need to specify the "ROLE_" prefix.

4任何以/db/"开头的 URL 都要求用户同时拥有ROLE_ADMIN"和ROLE_DBA".您会注意到，由于我们使用了 hasRole 表达式，因此不需要指定ROLE_"前缀.

4 Any URL that starts with "/db/" requires the user to have both "ROLE_ADMIN" and "ROLE_DBA". You will notice that since we are using the hasRole expression we do not need to specify the "ROLE_" prefix.

5任何尚未匹配的 URL 只需要对用户进行身份验证

5 Any URL that has not already been matched on only requires that the user be authenticated

您第二次使用 .authorizeRequests() 会覆盖第一次使用.

Your second use of .authorizeRequests() overrides the first one.

另见 AntPathMatcher:

映射使用以下规则匹配 URL:

The mapping matches URLs using the following rules:

? 匹配一个字符

* 匹配零个或多个字符

** 匹配路径中的零个或多个目录

** matches zero or more directories in a path

示例

com/t?st.jsp — 匹配 com/test.jsp 但也匹配 com/tast.jsp 或 com/txst.jsp

com/t?st.jsp — matches com/test.jsp but also com/tast.jsp or com/txst.jsp

com/*.jsp — 匹配 com 目录中的所有 .jsp 文件

com/*.jsp — matches all .jsp files in the com directory

com/**/test.jsp — 匹配 com 路径下的所有 test.jsp 文件

com/**/test.jsp — matches all test.jsp files underneath the com path

org/springframework/**/*.jsp — 匹配 org/springframework 路径下的所有 .jsp 文件

org/springframework/**/*.jsp — matches all .jsp files underneath the org/springframework path

org/**/servlet/bla.jsp — 匹配 org/springframework/servlet/bla.jsp 但也匹配 org/springframework/testing/servlet/bla.jsp 和 org/servlet/bla.jsp

org/**/servlet/bla.jsp — matches org/springframework/servlet/bla.jsp but also org/springframework/testing/servlet/bla.jsp and org/servlet/bla.jsp

您修改后的代码:

protected void configure(HttpSecurity http) throws Exception {        
    http.authorizeRequests()                
            .antMatchers("/rest/open/**").permitAll()
            .antMatchers("/login/**").permitAll()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/login")
            .failureUrl("/login?error")
            .defaultSuccessUrl("/dashboard")
            .loginProcessingUrl("/j_spring_security_check")
            .usernameParameter("username")
            .passwordParameter("password")
            .and()
        .logout()
            .logoutUrl("/j_spring_security_logout")
            .logoutSuccessUrl("/login?logout")
            .and()
        .csrf();
}

这篇关于Spring Security，安全访问和非安全访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！