Question

我对Spring Security有疑问。我有几个页面--A，B和C - 以及4个http方法来操作它们：GET，PUT，POST，DELETE。对于每个组合A + GET，我希望以resource-Page-Method形式拥有特殊权限。我该如何实现它？下面的代码不起作用：如果没有任何权利，它允许所有用户事件的所有内容。

@Override
protected void configure(HttpSecurity http) throws Exception { 


  RequestHeaderAuthenticationFilter siteMinderFilter = new RequestHeaderAuthenticationFilter();
  siteMinderFilter.setPrincipalRequestHeader("SM_USER");
  siteMinderFilter.setAuthenticationManager(authenticationManager());

  http.addFilter(siteMinderFilter);  


  List<HttpMethod> methods = new ArrayList<HttpMethod>();
  methods.add(HttpMethod.GET);
  methods.add(HttpMethod.POST);
  methods.add(HttpMethod.PUT);
  methods.add(HttpMethod.DELETE);

 List<String> resources = new ArrayList<String>();
 resources.add("A");
 resources.add("B");
 resources.add("C");     
 ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = http.authorizeRequests();

 for (HttpMethod method:methods){
     for (String resource: resources){
         String auth = "resource-"+resource+"-"+method.name();
         registry.antMatchers(method, "**/"+resource+"/**")
         .hasAuthority(auth);
     }
 }

  http = registry.and();
  http.formLogin();   

}

Answer 1

过滤器无法正常运行的唯一原因是匹配器模式初始化时缺少斜杠/：

不管这个

 registry.antMatchers(method, "**/"+resource+"/**")

我应该写这个

 registry.antMatchers(method, "/**/"+resource+"/**")

URL和方法的spring安全设置

1 个答案: