[英]Spring Security disable HTTP Basic for one specific page
I'm trying to add web security in spring but I don't want the filter to apply to certain things. 我想在春季增加网络安全性,但我不希望该过滤器应用于某些特定事物。 How is that done in java? 用Java如何完成?
Overall, what I want to do is this: 总的来说,我想做的是:
/
and /login
should not show a HTTP Basic authentication prompt to login, while everything else should go through the filter and pop up a login prompt window. /
和/login
不应显示HTTP Basic身份验证提示来登录,而其他所有内容都应通过过滤器并弹出一个登录提示窗口。
Through various example I found through spring I was able to come up with this as for a start but it obviously doesn't work: 通过整个春季的各种示例,我可以从一开始就提出这个建议,但显然不起作用:
@Configuration
@EnableWebMvcSecurity
public class AuthSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/css/**", "/js/**", "/img/**", "/lib/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().antMatcher("/").authorizeRequests().anyRequest().permitAll();
http.csrf().disable().antMatcher("/**").authorizeRequests().anyRequest().hasRole("ADMIN").and().httpBasic();
}
@Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password("admin123").roles("ADMIN")
.and()
.withUser("user").password("user123").roles("USER");
}
}
Rewrite your configure(HttpSecurity http)
method like the following: 重写您的configure(HttpSecurity http)
方法,如下所示:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/", "/login").permitAll()
.anyRequest().hasRole("ADMIN")
.and()
.csrf()
.disable();
}
"/" and "/login" SHOULD NOT show a httpbasic authentication prompt to login, while everything else SHOULD go through the filter and pop up a login prompt window. “ /”和“ / login”不应显示httpbasic身份验证提示进行登录,而其他所有内容均应通过过滤器并弹出登录提示窗口。
If you seriously planning to use HTTP Basic, I guess you wouldn't need a separate /login
handler, since browser-based clients can use the default browser based pop up and other clients can send HTTP Basic requests through Authorization
header. 如果您认真计划使用HTTP Basic,我猜您不需要单独的/login
处理程序,因为基于浏览器的客户端可以使用基于默认浏览器的弹出窗口,而其他客户端可以通过Authorization
标头发送HTTP Basic请求。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.