[英]Spring Security configuration on URL and users
I want two kinds of requests in my REST server: Those who has the path "/freerest/" anyone can request, others will need authentication. 我想要REST服务器中的两种请求:具有路径“ / freerest /”的任何人都可以请求,其他人则需要身份验证。
This is my code: 这是我的代码:
@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
@Configuration
class WebSecurityConfiguration extends GlobalAuthenticationConfigurerAdapter {
@Autowired
UserAccountRepository userAccountRepository;
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService());
}
@Bean
UserDetailsService userDetailsService() {
return new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
UserAccount account = userAccountRepository.findByEmail(email);
if(account != null) {
return new User(account.getEmail(), account.getPassword(), true, true, true, true,
AuthorityUtils.createAuthorityList("USER"));
} else {
throw new UsernameNotFoundException("could not find the user '"
+ email + "'");
}
}
};
}
}
@EnableWebSecurity
@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/freerest/**").permitAll().and().authorizeRequests().anyRequest().hasAnyAuthority("USER");
}
}
In my mind after hasAnyAuthority("USER"), should have a .permitAll(). 在我的脑海中,在hasAnyAuthority(“ USER”)之后,应该有一个.permitAll()。 But dont.
但是不要。
So, the freerest path works fine, but if I try some user, which is on my database, or the default Spring's user I get 403. 因此,freerest路径可以正常工作,但是如果我尝试数据库中的某个用户或默认的Spring用户,则会得到403。
What is wrong? 怎么了?
Try this. 尝试这个。 You have added an
and()
inbetween the antMatch ans any Request. 您已在antMatch和任何请求之间添加了
and()
。 I think that is the problem. 我认为这就是问题所在。
And also add the correct authenticating realm followed by an and()
as shown below. 并添加正确的身份验证领域,后跟
and()
,如下所示。 here I use the HTTP Basic Authentication for restful 在这里,我使用HTTP基本身份验证以实现宁静
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{
......
......
......
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/freerest/**").permitAll()
.anyRequest().hasAnyAuthority("USER")
.and()
.httpBasic();
}
......
......
......
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.