Spring Security 3.2 Java配置
[英]spring security 3.2 java configuration
问题描述
I follow spring security 3.2 doc to write a sample app. 
我遵循Spring Security 3.2文档编写示例应用程序。 http.authorizeRequests().anyRequest().authenticated() is this mean any request is deny who is not login? http.authorizeRequests()。anyRequest()。authenticated()是否意味着任何请求都拒绝谁没有登录? But i access any url it's accessable. 但是我可以访问任何URL。 Is something config i has missing? 我缺少一些配置吗?
@Configuration
public class SpringWebMVCApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[] { SecurityConfig.class };
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class[] { WebConfig.class };
}
@Override
protected String[] getServletMappings() {
return new String[] { "/" };
}
} }
springmvc config springmvc配置
@Configuration
@EnableWebMvc
@ComponentScan("org.jxs.mm.controller")
public class WebConfig extends WebMvcConfigurerAdapter {
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/assets/**").addResourceLocations("/assets/");
registry.addResourceHandler("/favicon.ico").addResourceLocations("/favicon.ico");
}
}
spring security config 春季安全配置
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated();
}
}
2 个解决方案
解决方案1
0 2014-11-15 13:32:30
You can grant access to a particular RESTFul Url that require no authentication with keyword "permitAll" and "hasAnyAuthority" for pages that do. 您可以授予对不需要身份验证的特定RESTFul Url的访问权限,该关键字不需要使用页面的关键字“ permitAll”和“ hasAnyAuthority”。
http
.formLogin()
.loginPage("/signin")
.loginProcessingUrl("/signin/authenticate")
.failureUrl("/loginfail")
// Grant all access to login url
.permitAll()
.and()
.logout()
.logoutUrl("/signout")
.logoutSuccessUrl("/signin")
.and()
.authorizeRequests()
.antMatchers("/foo/**").permitAll() //No authentication required
.antMatchers("/").hasAnyAuthority("ROLE_USER","ROLE_ADMIN") //Authentication required (access granted to users with role "ROLE_USER" or "ROLE_ADMIN")
}
解决方案2
0 已采纳 2014-11-17 09:15:55
You probably haven't registered your springSecurityFilterChain with the war. 您可能尚未向war注册您的springSecurityFilterChain。 See section 3.1.1 in Spring Security documentation 请参阅Spring Security 文档中的 3.1.1节
To summarize: 总结一下:
SecurityConfig class defines your Spring Security configuration. SecurityConfig类定义您的Spring Security配置。 It configures the springSecurityFilterChain filter. 它配置springSecurityFilterChain过滤器。
However, this filter chain needs to be applied to/registered with/associated with all URLs in your application (so that the URLs get intercepted by the springSecurityFilterChain). 但是,此过滤器链需要应用到您的应用程序中的所有URL或向其注册(或与之关联)(以便URL被springSecurityFilterChain拦截)。 This can be done by extending AbstractSecurityWebApplicationInitializer like so: 这可以通过扩展AbstractSecurityWebApplicationInitializer来完成,如下所示:
import org.springframework.security.web.context.*;
public class SecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
}
After this, Spring Security should intercept any URL and apply the appropriate security rules as configured. 之后,Spring Security应该拦截任何URL并按照配置应用适当的安全规则。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.