URL和用户上的Spring Security配置

Question

I want two kinds of requests in my REST server: Those who has the path "/freerest/" anyone can request, others will need authentication. 我想要REST服务器中的两种请求：具有路径“ / freerest /”的任何人都可以请求，其他人则需要身份验证。

This is my code: 这是我的代码：

@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }

}

@Configuration
class WebSecurityConfiguration extends GlobalAuthenticationConfigurerAdapter {

  @Autowired
  UserAccountRepository userAccountRepository;

  @Override
  public void init(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService());
  }

  @Bean
  UserDetailsService userDetailsService() {
    return new UserDetailsService() {

      @Override
      public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
        UserAccount account = userAccountRepository.findByEmail(email);
        if(account != null) {
            return new User(account.getEmail(), account.getPassword(), true, true, true, true,
                AuthorityUtils.createAuthorityList("USER"));
        } else {
            throw new UsernameNotFoundException("could not find the user '"
                  + email + "'");
        }
      }

    };
  }
}

@EnableWebSecurity
@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {    
    http.authorizeRequests().antMatchers("/freerest/**").permitAll().and().authorizeRequests().anyRequest().hasAnyAuthority("USER");
  }
}

In my mind after hasAnyAuthority("USER"), should have a .permitAll(). 在我的脑海中，在hasAnyAuthority（“ USER”）之后，应该有一个.permitAll（）。 But dont. 但是不要。

So, the freerest path works fine, but if I try some user, which is on my database, or the default Spring's user I get 403. 因此，freerest路径可以正常工作，但是如果我尝试数据库中的某个用户或默认的Spring用户，则会得到403。

What is wrong? 怎么了？

Answer 1

Try this. 尝试这个。 You have added an and() inbetween the antMatch ans any Request. 您已在antMatch和任何请求之间添加了and() 。 I think that is the problem. 我认为这就是问题所在。

And also add the correct authenticating realm followed by an and() as shown below. 并添加正确的身份验证领域，后跟and() ，如下所示。 here I use the HTTP Basic Authentication for restful 在这里，我使用HTTP基本身份验证以实现宁静

    @Configuration
    @EnableWebSecurity
    @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
    public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{

        ......
        ......
        ......

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable()
                    .authorizeRequests()
                        .antMatchers("/freerest/**").permitAll()
                        .anyRequest().hasAnyAuthority("USER")
                    .and()
                    .httpBasic();
        }

        ......
        ......
        ......

    }

URL和用户上的Spring Security配置

问题描述

1 个解决方案

解决方案1
1 已采纳 2015-03-31 19:14:33

URL和用户上的Spring Security配置

问题描述

1 个解决方案

解决方案1 1 已采纳 2015-03-31 19:14:33

解决方案1
1 已采纳 2015-03-31 19:14:33