如何允许访问Spring MVC中的选定REST URL

Question

我有许多使用Spring MVC构建的REST控制器，例如：

c()

任何人都应该只能使用i(source)=program output和@RequestMapping(value = "employee") EmplyoeeController @RequestMapping(value = "office") OfficeController @RequestMapping(value = "school") SchoolController @RequestMapping(value = "admin") AdminController @RequestMapping(value = "report") ReportController 资源。 我不想删除或评论我的其他控制器中的请求映射。我怎么能在web.xml中实现这个目标

问题是我们正在发布我们的网络应用程序的精简版，但捆绑了许多控制器。在我们的spring-security.xml中，我们有：

.../api/admin

如果用户经过身份验证，则可以访问.../api/report下的所有资源 - 例如<security:intercept-url pattern="/api/**" access="isAuthenticated()" /> 以及/api/**，/api/admin /api/office，以及等...... 我们希望经过身份验证的用户可以访问的功能仅为/api/school和/api/employee，即使经过身份验证也无需其他任何操作。 我们还不需要为用户分配任何ROLE。

Answer 1

您可以使用Spring Security。这里的教程：http://spring.io/guides/gs/securing-web/。

在web.xml中，您可以添加：

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        some.package.LocalSecurityConfig
    </param-value>
</context-param>
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

你可以像这样定义LocalSecurityConfig：

package some.package;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class LocalSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
    InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> configurer = new InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder>();

    configurer.withUser("user").password("password").authorities("ROLE_USER");

    auth.apply(configurer);
}

@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}


@Override
protected void configure(HttpSecurity http) throws Exception {

    http
        .authorizeRequests()
            .antMatchers("/employee", "/office", "/school").authenticated()
            .anyRequest().permitAll().and()
        .formLogin()
            .loginPage("/login")
            .permitAll()
            .and()
        .logout()
            .permitAll();
}
}