[英]Spring Boot Security - Anonymous User access on default mapping /
我們有基於Spring引導的應用程序,我們想給匿名用戶提供默認/映射訪問權限。 我們添加了默認的index.html
(基本頁面)。
@RequestMapping("/")
public ModelAndView defaultViewManager(HttpServletRequest request) {
logger.info("Default mapping.");
ModelAndView modelAndView = new ModelAndView("index");
return modelAndView;
}
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private static final String SSO_HEADER = "AUTH_USER";
public static final String ADMIN = "ROLE_ADMIN";
public static final String USER = "ROLE_USER";
public static final String ANONYMOUS = "ROLE_ANONYMOUS";
@Autowired
private PreAuthUserDetailsService userDetailsService;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(preAuthenticatedAuthProvider());
}
@Bean
public PreAuthenticatedAuthenticationProvider preAuthenticatedAuthProvider() {
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper =
new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> (userDetailsService);
PreAuthenticatedAuthenticationProvider authProvider = new PreAuthenticatedAuthenticationProvider();
authProvider.setPreAuthenticatedUserDetailsService(wrapper);
return authProvider;
}
@Bean
public RequestHeaderAuthenticationFilter headerAuthFilter() throws Exception {
RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
filter.setPrincipalRequestHeader(SSO_HEADER);
filter.setAuthenticationManager(authenticationManagerBean());
return filter;
}
上面提到的代碼可能沒有必要,但是對於后台,我們使用的是PreAuthenticatedAuthentication Provider
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.addFilter(headerAuthFilter())
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/admin/**").hasAuthority(ADMIN)
.antMatchers("/**").hasAuthority(USER)
.and()
.logout()
.deleteCookies("remove")
.invalidateHttpSession(true)
.logoutUrl("/logout")
.logoutSuccessUrl("/login?logout")
.and()
.csrf().disable()
.headers().frameOptions().disable();
// @formatter:on
}
}
僅供參考,我也添加了攔截器。 即使使用排除模式,攔截器似乎也會被觸發
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(wikiRequestHandlerInterceptor()).
excludePathPatterns("/").addPathPatterns("/**");
}
在上面的SecurityConfig
代碼中。 我試圖允許使用.antMatchers("/").permitAll()
並添加權限休息意味着所有/**
和/admin/**
。 但這不起作用。 請幫助提及正確的antMatchers,以提供對默認/映射的匿名訪問。
提前致謝。
看起來需要重新安排antMatchers來修復優先級。 要在"/"
允許“所有請求”,首先添加anyRequest().permitAll()
,然后添加受限制的目錄,最后是catch-all /**
如下所示:
http.addFilter(headerAuthFilter())
.authorizeRequests()
.anyRequest().permitAll()
.antMatchers("/admin/**").hasAuthority(ADMIN)
.antMatchers("/**").hasAuthority(USER)
可以將視圖控制器設置為直接映射到模板目錄中的indexroot.html(假設為ThymeLeaf):
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("indexroot");
}
我相信攔截器仍然可以用任何順序簡單地用“/”排除:
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(wikiRequestHandlerInterceptor())
.addPathPatterns("/admin/**")
.excludePathPatterns("/");
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.