我有一个带有映射的控制器。我提供了常数的值。
Constants.restApiUriPrefix = "rest/"
UserController.uriExtension = "users"
@RequestMapping(value = Constants.restApiUriPrefix + UserController.uriExtension)
public class UserController {
@RequestMapping(params = "username")
@ResponseBody
public ResponseWithView<User> getUserByName(@RequestParam String username, @ModelAttribute User authenticatingUser) {
return new ResponseWithView<User>(userService.findByUsername(username));
}
}
当我运行测试时,我使用来自Web服务器的根上下文的以下URI。
/rest/users?username=testUser%40gmail.com
这是我的安全配置。
@Override
protected void configure(HttpSecurity http) throws Exception {
if(environment == Environment.DEVELOPMENT) {
http.authorizeRequests().antMatchers("/" + Constants.restApiUriPrefix + TestHelperController.uriExtension + "/**").permitAll();
}
http.csrf().disable(); //TODO Someday fix this and turn csrf back on safely
http
.httpBasic()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/" + Constants.restApiUriPrefix + UserController.uriExtension + "?username=**").permitAll()
.antMatchers(HttpMethod.POST, "/" + Constants.restApiUriPrefix + UserController.uriExtension + "/").permitAll()
.antMatchers(HttpMethod.POST, "/" + Constants.restApiUriPrefix + UserController.uriExtension).permitAll()
.antMatchers("/" + Constants.restApiUriPrefix + "**").hasRole("USER");
}
我希望
.antMatchers(HttpMethod.GET, "/" + Constants.restApiUriPrefix + UserController.uriExtension + "?username=**").permitAll()
匹配我的请求以通过用户名发现用户而不会受到身份验证的质疑,但我是。
我使用的是Spring 4.0.2.RELEASE和Spring Security 3.2.0.RELEASE
答案 0 :(得分:1)
我能够使用以下蚂蚁匹配器。
.antMatchers(HttpMethod.GET, "/" + Constants.restApiUriPrefix + UserController.uriExtension + "*")
.permitAll()