java - Spring Security antMatcher 与 HttpMethod.POST 不起作用

Question

编辑:

谢谢托马斯·安道夫! 当我在 springboot 中使用嵌入的 tomcat 时，它可以工作，我在 IntelliJ 上启动了 spring，并且使用 Visual Studio 代码启动了 Angular 部分。 但是当我在树莓派上提供的 tomcat 中发布 war 时它不起作用...

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests(authorizeRequests ->
                        authorizeRequests.antMatchers(HttpMethod.POST, "/rest/gender").permitAll()
                        .antMatchers(HttpMethod.POST, "/rest/login").permitAll()
                        .antMatchers(HttpMethod.POST, "/rest/names").permitAll()
                        .anyRequest().authenticated()
                )
                .httpBasic()
                .authenticationEntryPoint(authEntryPoint)
                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

项目的 Angular 部分发布在 tomcat/webapps/ROOT 中。
war 发布在 tomcat/webapps/baby-project-api 中。

我像这样使用tomcat/conf/Catalina/localhost/rewrite.config:

RewriteRule ^/rest/(.+)$ /baby-project-api/rest/$1

<小时/>

原始问题

我尝试在具有 Spring Boot 安全性的 api 上使用基本身份验证，但我需要一些不安全的路径。

POST/rest/login 不受配置保护，
GET/rest/gender 是安全的，这就是我想要的

知道为什么 POST/rest/gender 仍然受到保护吗？

这是我的 WebSecurityConfig :

@Configuration
@EnableAutoConfiguration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationEntryPoint authEntryPoint;

    @Autowired
    private IParentRepository parentRepository;

    @Bean
    public BCryptPasswordEncoder bCryptPasswordEncoder() {
        BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
        return bCryptPasswordEncoder;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                .antMatchers(HttpMethod.POST, "/rest/gender").permitAll()
                .antMatchers(HttpMethod.POST, "/rest/login").permitAll()
                .antMatchers(HttpMethod.POST, "/rest/names").permitAll()
                .anyRequest().authenticated()
                .and().httpBasic()
                .authenticationEntryPoint(authEntryPoint);
                //.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

        final List<Parent> parents = parentRepository.findAll();
        InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> mngConfig = auth.inMemoryAuthentication();

        for (Parent parent : parents) {
            mngConfig.withUser(User.withUsername(parent.getUsername()).password(parent.getPassword()).roles("ADMIN").build());
        }

    }
}```

POST /rest/login is not secured with the config,  
GET /rest/gender is secured and that's what i want

Any idea why POST /rest/gender is still secured ?

Answer 1

你能尝试按照他们在documentation中实际做的方式来做吗？看看它是否有效。

protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
            .authorizeRequests(authorizeRequests -> 
                authorizeRequests.antMatchers(HttpMethod.POST, "/rest/gender").permitAll();
                authorizeRequests.antMatchers(HttpMethod.POST, "/rest/login").permitAll();
                authorizeRequests.antMatchers(HttpMethod.POST, "/rest/names").permitAll();
                authorizeRequests.anyRequest().authenticated();
            )
            .httpBasic()
            .authenticationEntryPoint(authEntryPoint);
}