用户无需登录即可访问安全 URL。 下面是此类 URL 的示例,应提示用户登录,但未经身份验证即可访问该 URL。
http://localhost:9090/HospitalProject/web/patient/home
安全配置:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
Environment env;
@Autowired
public void configureAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("root")
.password("root")
.roles("ADMIN");
auth
.inMemoryAuthentication()
.withUser("notroot")
.password("notroot")
.roles("SUPER_ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/web/login").permitAll()
.antMatchers("/web/**").access("hasRole('ADMIN') or hasRole('SUPER_ADMIN')")
.and()
.formLogin()
.loginPage("/web/login")
.loginProcessingUrl("/web/login")
.usernameParameter("username")
.passwordParameter("password")
.and()
.logout().logoutSuccessUrl("/login?logout");
}
}
安全初始值设定项:
public class SecurityWebApplicationIntializer extends AbstractSecurityWebApplicationInitializer {
public SecurityWebApplicationIntializer() {
super(SecurityConfig.class);
}
}
Controller :
@Controller
public class MasterController {
@GetMapping(value={"/", "/web/login"})
public ModelAndView loginForm(){
ModelAndView mv = new ModelAndView("login");
mv.addObject("loginForm", new LoginForm());
return mv;
}
}
知道缺少什么吗?
最佳答案
不同 url 的管理员角色权限不同
尝试,
authorizeRequests()
.antMatchers("/web/admin/**").access("hasRole('ADMIN') or hasRole('SUPER_ADMIN')")
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/web/login").permitAll();
.loginProcessingUrl("/web/login")
.usernameParameter("username").passwordParameter("password")
.and()
.logout().logoutSuccessUrl("/login?logout")
.and()
.csrf().disable();
如果您使用 spring mvc,则需要将 SecurityConfig 添加到 xxxServletInitializer 而不是 AbstractSecurityWebApplicationInitializer
public class SpringMvcInitializer
extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[] { SecurityConfig.class };
}
@Override
protected Class<?>[] getServletConfigClasses() {
return null;
}
@Override
protected String[] getServletMappings() {
return new String[] { "/" };
}
}
关于java - 访问安全 URL 时未调用 Spring Security 身份验证过滤器,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/40419145/