Spring Security,安全访问和非安全访问 [英] Spring Security, secured and none secured access
问题描述
我正在做一个需要先登录的小应用程序.但是对于某些 3rd 方工具,我想提供一个不需要登录的 API.登录本身工作正常,API 本身工作,但我不知道如何告诉 Spring Security,无需身份验证即可访问 API.我在这里和其他网站上检查了几个主题并尝试了不同的版本,但没有一个有效.每次尝试访问 API 时,我都会转到登录表单,必须先登录.
I'm doing a little application that requires to login first. But for some 3rd party tool, I want to provide an API that doesn't require login. The login itself works fine, the API itself works, but I can't figure out how to tell Spring Security, that the API can be accessed without the need of authentication. I checked several topics here and on other websites and tried different versions, but none worked. Everytime I try to access the API, I get forwarded to the login form and have to login first.
到目前为止,我的代码在 Spring Security 配置中看起来像这样:
My Code Looks like this so far, inside my Spring Security config:
/**
* configuration of spring security, defining access to the website
*
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/rest/open**").permitAll()
.antMatchers("/login**").permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error")
.defaultSuccessUrl("/dashboard")
.loginProcessingUrl("/j_spring_security_check")
.usernameParameter("username")
.passwordParameter("password")
.and()
.logout()
.logoutUrl("/j_spring_security_logout")
.logoutSuccessUrl("/login?logout")
.and()
.csrf();
}
还有我的控制器:
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class PredictionOpenRestController {
@RequestMapping("/rest/open/prediction")
public String getPrediction() {
return "First Try!";
}
}
不知何故,我不得不感觉想念一些东西.
Somehow I have to feeling to miss something.
推荐答案
参见 Spring 安全参考:
我们的示例只要求对用户进行身份验证,并且对我们应用程序中的每个 URL 都进行了验证.我们可以通过向 http.authorizeRequests()
方法添加多个子项来为我们的 URL 指定自定义要求.例如:
Our examples have only required users to be authenticated and have done so for every URL in our application. We can specify custom requirements for our URLs by adding multiple children to our
http.authorizeRequests()
method. For example:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**", "/signup", "/about").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")
.anyRequest().authenticated()
.and()
// ...
.formLogin();
}
1 http.authorizeRequests()
方法有多个子方法,每个匹配器都按照声明的顺序考虑.
1 There are multiple children to the http.authorizeRequests()
method each matcher is considered in the order they were declared.
2我们指定了任何用户都可以访问的多个 URL 模式.具体来说,如果 URL 以/resources/"开头、等于/signup"或等于/about",则任何用户都可以访问请求.
2 We specified multiple URL patterns that any user can access. Specifically, any user can access a request if the URL starts with "/resources/", equals "/signup", or equals "/about".
3任何以/admin/"开头的 URL 将仅限于具有ROLE_ADMIN"角色的用户.您会注意到,由于我们正在调用 hasRole 方法,因此不需要指定ROLE_"前缀.
3 Any URL that starts with "/admin/" will be resticted to users who have the role "ROLE_ADMIN". You will notice that since we are invoking the hasRole method we do not need to specify the "ROLE_" prefix.
4任何以/db/"开头的 URL 都要求用户同时拥有ROLE_ADMIN"和ROLE_DBA".您会注意到,由于我们使用了 hasRole 表达式,因此不需要指定ROLE_"前缀.
4 Any URL that starts with "/db/" requires the user to have both "ROLE_ADMIN" and "ROLE_DBA". You will notice that since we are using the hasRole expression we do not need to specify the "ROLE_" prefix.
5任何尚未匹配的 URL 只需要对用户进行身份验证
5 Any URL that has not already been matched on only requires that the user be authenticated
您第二次使用 .authorizeRequests()
会覆盖第一次使用.
Your second use of .authorizeRequests()
overrides the first one.
另见 AntPathMatcher:
映射使用以下规则匹配 URL:
The mapping matches URLs using the following rules:
?
匹配一个字符
*
匹配零个或多个字符
**
匹配路径中的零个或多个目录
**
matches zero or more directories in a path
示例
com/t?st.jsp
— 匹配 com/test.jsp
但也匹配 com/tast.jsp
或 com/txst.jsp
com/t?st.jsp
— matches com/test.jsp
but also com/tast.jsp
or com/txst.jsp
com/*.jsp
— 匹配 com
目录中的所有 .jsp
文件
com/*.jsp
— matches all .jsp
files in the com
directory
com/**/test.jsp
— 匹配 com
路径下的所有 test.jsp
文件
com/**/test.jsp
— matches all test.jsp
files underneath the com
path
org/springframework/**/*.jsp
— 匹配 org/springframework
路径下的所有 .jsp
文件
org/springframework/**/*.jsp
— matches all .jsp
files underneath the org/springframework
path
org/**/servlet/bla.jsp
— 匹配 org/springframework/servlet/bla.jsp
但也匹配 org/springframework/testing/servlet/bla.jsp
和 org/servlet/bla.jsp
org/**/servlet/bla.jsp
— matches org/springframework/servlet/bla.jsp
but also org/springframework/testing/servlet/bla.jsp
and org/servlet/bla.jsp
您修改后的代码:
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/rest/open/**").permitAll()
.antMatchers("/login/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error")
.defaultSuccessUrl("/dashboard")
.loginProcessingUrl("/j_spring_security_check")
.usernameParameter("username")
.passwordParameter("password")
.and()
.logout()
.logoutUrl("/j_spring_security_logout")
.logoutSuccessUrl("/login?logout")
.and()
.csrf();
}
这篇关于Spring Security,安全访问和非安全访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!