堆栈内存溢出
  简体   繁体   English

Spring Security为一个特定页面禁用HTTP Basic

[英]Spring Security disable HTTP Basic for one specific page

 原文  2016-05-19 13:59:23       java/ spring/ spring-mvc/ spring-security/ spring-boot

问题描述

I'm trying to add web security in spring but I don't want the filter to apply to certain things. 我想在春季增加网络安全性,但我不希望该过滤器应用于某些特定事物。 How is that done in java? 用Java如何完成?

Overall, what I want to do is this: 总的来说,我想做的是:

/ and /login should not show a HTTP Basic authentication prompt to login, while everything else should go through the filter and pop up a login prompt window. //login不应显示HTTP Basic身份验证提示来登录,而其他所有内容都应通过过滤器并弹出一个登录提示窗口。

Through various example I found through spring I was able to come up with this as for a start but it obviously doesn't work: 通过整个春季的各种示例,我可以从一开始就提出这个建议,但显然不起作用: 

@Configuration
@EnableWebMvcSecurity
public class AuthSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/css/**", "/js/**", "/img/**", "/lib/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().antMatcher("/").authorizeRequests().anyRequest().permitAll();
        http.csrf().disable().antMatcher("/**").authorizeRequests().anyRequest().hasRole("ADMIN").and().httpBasic();
    }

    @Autowired
    protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("admin").password("admin123").roles("ADMIN")
                .and()
                .withUser("user").password("user123").roles("USER");
    }

}

1 个解决方案

解决方案1
 0 已采纳  2016-05-19 15:05:17

Rewrite your configure(HttpSecurity http) method like the following: 重写您的configure(HttpSecurity http)方法,如下所示: 

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .httpBasic()
            .and()
            .authorizeRequests()
                .antMatchers("/", "/login").permitAll()
                .anyRequest().hasRole("ADMIN")
            .and()
            .csrf()
                .disable();
}

"/" and "/login" SHOULD NOT show a httpbasic authentication prompt to login, while everything else SHOULD go through the filter and pop up a login prompt window. “ /”和“ / login”不应显示httpbasic身份验证提示进行登录,而其他所有内容均应通过过滤器并弹出登录提示窗口。

If you seriously planning to use HTTP Basic, I guess you wouldn't need a separate /login handler, since browser-based clients can use the default browser based pop up and other clients can send HTTP Basic requests through Authorization header. 如果您认真计划使用HTTP Basic,我猜您不需要单独的/login处理程序,因为基于浏览器的客户端可以使用基于默认浏览器的弹出窗口,而其他客户端可以通过Authorization标头发送HTTP Basic请求。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为一个请求禁用基本身份验证(Spring Security)并为所有任何请求禁用 - Disable Basic Authentication(Spring Security) for one request and leave for all any Spring Security HTTP基本身份验证 - Spring Security HTTP Basic Authentication HTTP基本身份验证在Spring Security中不起作用 - Http basic authentication not working in Spring Security 具有Hibernate和Annotations和基本HTTP身份验证的Spring安全性 - Spring security with Hibernate and Annotations and basic HTTP authentication 为Oauth和Http Basic身份验证配置Spring Security - Configuring Spring Security for Oauth and Http Basic authentication 如何为具有 spring 安全性的特定端点添加 HTTP 基本身份验证? - How do I add HTTP basic auth for a specific endpoint with spring security? 在 Spring 中禁用登录窗口(Http Basic) - Disable Sign In Window in Spring (Http Basic) 禁用 OPTIONS Http 方法的 Spring Security - Disable Spring Security for OPTIONS Http Method 禁用Spring Security Basic登录 - Spring REST Web服务 - Disable Spring Security Basic Login - Spring REST web service url 到具有 spring 安全性的特定页面 - url to specific page with spring security
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM