java - Spring MVC : Spring Security 4 doesn't intercept

Question

我尝试通过 Spring Security 为我的 Spring MVC 项目(最近更新为 4.2.6.RELEASE)完成授权。所以我添加了这些依赖项:

    <dependency org="org.springframework.security" name="spring-security-config" rev="4.1.0.RELEASE" />
    <dependency org="org.springframework.security" name="spring-security-core" rev="4.1.0.RELEASE" />
    <dependency org="org.springframework.security" name="spring-security-crypto" rev="4.1.0.RELEASE" />
    <dependency org="org.springframework.security" name="spring-security-taglibs" rev="4.1.0.RELEASE" />
    <dependency org="org.springframework.security" name="spring-security-web" rev="4.1.0.RELEASE" />

据我了解，我只需要创建这些类:

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/", "/home").permitAll().anyRequest().authenticated().and().formLogin()
                .loginPage("/login").permitAll().and().logout().permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
    }
}

和

import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;

public class SecurityWebInitializer extends AbstractSecurityWebApplicationInitializer {
}

我希望对于尚未登录的用户，除了“/”、“/home”、“/login”和“/logout”之外，所有 URL 现在都会被阻止。事实上，没有任何东西被阻止，我的网络应用程序完全可以访问。所以我一定是在某个地方错了......

如果您能在这里给我一些关于我的问题可能是什么的提示，我真的很感激。谢谢!

Answer 1

我测试了你的ant匹配器，它工作得很好(一切看起来都很好)，所以我认为你还没有将你的客户安全配置(SecurityConfig)注册到spring servlet，它是用@Import完成的。

@EnableWebMvc 
@Configuration
@ComponentScan({ "yourpackage" })
@Import({ SecurityConfig .class }) // See here
public class SpringServlet {

    @Bean
    public InternalResourceViewResolver viewResolver() {
        InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
        viewResolver.setViewClass(JstlView.class);
        viewResolver.setPrefix("/WEB-INF/..");
        viewResolver.setSuffix("...");
        return viewResolver;
    }

}