编辑:
谢谢托马斯·安道夫! 当我在 springboot 中使用嵌入的 tomcat 时,它可以工作,我在 IntelliJ 上启动了 spring,并且使用 Visual Studio 代码启动了 Angular 部分。 但是当我在树莓派上提供的 tomcat 中发布 war 时它不起作用...
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests(authorizeRequests ->
authorizeRequests.antMatchers(HttpMethod.POST, "/rest/gender").permitAll()
.antMatchers(HttpMethod.POST, "/rest/login").permitAll()
.antMatchers(HttpMethod.POST, "/rest/names").permitAll()
.anyRequest().authenticated()
)
.httpBasic()
.authenticationEntryPoint(authEntryPoint)
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
项目的 Angular 部分发布在 tomcat/webapps/ROOT
中。
war 发布在 tomcat/webapps/baby-project-api
中。
我像这样使用tomcat/conf/Catalina/localhost/rewrite.config
:
RewriteRule ^/rest/(.+)$ /baby-project-api/rest/$1
<小时/>
原始问题
我尝试在具有 Spring Boot 安全性的 api 上使用基本身份验证,但我需要一些不安全的路径。
POST/rest/login
不受配置保护,
GET/rest/gender
是安全的,这就是我想要的
知道为什么 POST/rest/gender 仍然受到保护吗?
这是我的 WebSecurityConfig :
@Configuration
@EnableAutoConfiguration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationEntryPoint authEntryPoint;
@Autowired
private IParentRepository parentRepository;
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
return bCryptPasswordEncoder;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/rest/gender").permitAll()
.antMatchers(HttpMethod.POST, "/rest/login").permitAll()
.antMatchers(HttpMethod.POST, "/rest/names").permitAll()
.anyRequest().authenticated()
.and().httpBasic()
.authenticationEntryPoint(authEntryPoint);
//.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
final List<Parent> parents = parentRepository.findAll();
InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> mngConfig = auth.inMemoryAuthentication();
for (Parent parent : parents) {
mngConfig.withUser(User.withUsername(parent.getUsername()).password(parent.getPassword()).roles("ADMIN").build());
}
}
}```
POST /rest/login is not secured with the config,
GET /rest/gender is secured and that's what i want
Any idea why POST /rest/gender is still secured ?
最佳答案
你能尝试按照他们在documentation中实际做的方式来做吗?看看它是否有效。
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests(authorizeRequests ->
authorizeRequests.antMatchers(HttpMethod.POST, "/rest/gender").permitAll();
authorizeRequests.antMatchers(HttpMethod.POST, "/rest/login").permitAll();
authorizeRequests.antMatchers(HttpMethod.POST, "/rest/names").permitAll();
authorizeRequests.anyRequest().authenticated();
)
.httpBasic()
.authenticationEntryPoint(authEntryPoint);
}
关于java - Spring Security antMatcher 与 HttpMethod.POST 不起作用,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59904734/