gpt4 book ai didi

java - 在 WebSecurityConfigurerAdapter 中正确使用 WebSecurity

转载 作者:IT老高 更新时间:2023-10-28 13:45:43 28 4
gpt4 key购买 nike

在我基于版本 1.3.0.BUILD-SNAPSHOTSpring Boot 应用程序中,我在 中有静态资源(图像、css、js) resources 下的 static 文件夹。

我看到了一些与安全配置相关的示例,如下所示:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
public void configure(final WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/static/**");
}
}

这个例子正确吗?应该是什么效果?如何验证它是否有效(例如,向 localhost:8080/something 发出请求?我可以用 WebSecurity 做什么很酷的事情?

最佳答案

您的示例意味着 Spring (Web) Security 是 ignoring与您定义的表达式匹配的 URL 模式 ("/static/**") .此 URL 被 Spring Security 跳过,因此不 protected 。

Allows adding RequestMatcher instances that should that Spring Security should ignore. Web Security provided by Spring Security (including the SecurityContext) will not be available on HttpServletRequest that match. Typically the requests that are registered should be that of only static resources. For requests that are dynamic, consider mapping the request to allow all users instead.

WebSecurity API 文档了解更多信息。

您可以根据需要设置任意数量的 protected 或不 protected URL 模式。
使用 Spring Security,您可以为应用程序的 Web 层提供身份验证访问控制功能。您还可以限制具有指定角色的用户访问特定 URL 等。

阅读 Spring Security 引用以获得更多详细信息:
http://docs.spring.io/spring-security/site/docs/current/reference/html/


URL 模式的排序优先级

When matching the specified patterns against an incoming request, the matching is done in the order in which the elements are declared. So the most specific matches patterns should come first and the most general should come last.

There are multiple children to the http.authorizeRequests() method each matcher is considered in the order they were declared.

Patterns are always evaluated in the order they are defined. Thus it is important that more specific patterns are defined higher in the list than less specific patterns.

阅读这里了解更多详情:
http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#filter-security-interceptor


示例 1

WebSecurity 的一般用途 ignoring()方法省略了 Spring Security,Spring Security 的所有功能都将不可用。WebSecurity 基于 HttpSecurity
(在 XML 配置中,您可以这样写:<http pattern="/resources/**" security="none"/>)。

@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**")
.antMatchers("/publics/**");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/publics/**").hasRole("USER") // no effect
.anyRequest().authenticated();
}

上例中的 WebSecurity 让 Spring 忽略 /resources/**/publics/** .因此 .antMatchers("/publics/**").hasRole("USER")在 HttpSecurity 中未考虑。

This will omit the request pattern from the security filter chain entirely. Note that anything matching this path will then have no authentication or authorization services applied and will be freely accessible.


示例 2

模式总是按顺序评估。以下匹配无效,因为第一个匹配每个请求并且永远不会应用第二个匹配:

@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**").hasRole("USER")
.antMatchers("/admin/**").hasRole("ADMIN"):
}

关于java - 在 WebSecurityConfigurerAdapter 中正确使用 WebSecurity,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/31995221/

28 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com