我们有基于 Spring boot 的应用程序,我们想为匿名用户提供默认/映射访问权限。
我们添加了默认的 index.html
(基本页面)。
在 Controller 中
@RequestMapping("/")
public ModelAndView defaultViewManager(HttpServletRequest request) {
logger.info("Default mapping.");
ModelAndView modelAndView = new ModelAndView("index");
return modelAndView;
}
安全配置
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private static final String SSO_HEADER = "AUTH_USER";
public static final String ADMIN = "ROLE_ADMIN";
public static final String USER = "ROLE_USER";
public static final String ANONYMOUS = "ROLE_ANONYMOUS";
@Autowired
private PreAuthUserDetailsService userDetailsService;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(preAuthenticatedAuthProvider());
}
@Bean
public PreAuthenticatedAuthenticationProvider preAuthenticatedAuthProvider() {
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper =
new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> (userDetailsService);
PreAuthenticatedAuthenticationProvider authProvider = new PreAuthenticatedAuthenticationProvider();
authProvider.setPreAuthenticatedUserDetailsService(wrapper);
return authProvider;
}
@Bean
public RequestHeaderAuthenticationFilter headerAuthFilter() throws Exception {
RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
filter.setPrincipalRequestHeader(SSO_HEADER);
filter.setAuthenticationManager(authenticationManagerBean());
return filter;
}
上面提到的代码可能不是必需的,但作为背景,我们使用 PreAuthenticatedAuthentication Provider
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.addFilter(headerAuthFilter())
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/admin/**").hasAuthority(ADMIN)
.antMatchers("/**").hasAuthority(USER)
.and()
.logout()
.deleteCookies("remove")
.invalidateHttpSession(true)
.logoutUrl("/logout")
.logoutSuccessUrl("/login?logout")
.and()
.csrf().disable()
.headers().frameOptions().disable();
// @formatter:on
}
}
仅供引用,我也添加了拦截器。拦截器似乎被触发,即使使用排除模式也是如此
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(wikiRequestHandlerInterceptor()).
excludePathPatterns("/").addPathPatterns("/**");
}
在上面的SecurityConfig
代码中。我试图允许使用 .antMatchers("/").permitAll()
并添加了 Authority for rest 意味着所有 /**
和 /admin/**
。但这是行不通的。请帮助提及正确的 antMatchers 以仅提供对默认/mapping 的匿名访问。
提前致谢。
最佳答案
看起来 antMatchers 需要重新安排以修复优先级。要在 "/"
处允许“所有请求”,首先添加 anyRequest().permitAll()
,然后添加受限目录,最后添加包罗万象的 /**
像这样:
http.addFilter(headerAuthFilter())
.authorizeRequests()
.anyRequest().permitAll()
.antMatchers("/admin/**").hasAuthority(ADMIN)
.antMatchers("/**").hasAuthority(USER)
View Controller 可以设置为直接映射到模板目录中的 indexroot.html(假设是 ThymeLeaf):
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("indexroot");
}
我相信拦截器仍然可以用简单的“/”以任何顺序排除:
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(wikiRequestHandlerInterceptor())
.addPathPatterns("/admin/**")
.excludePathPatterns("/");
}
关于java - Spring Boot Security - 默认映射的匿名用户访问/,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28465375/