我的WebSecurityConfigurerAdapter
中有以下代码@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(HttpMethod.POST, "/api/**").permitAll()
.antMatchers(HttpMethod.GET, "/api/**").permitAll()
.antMatchers("/admin/**").hasAnyRole("View","Modify","Delete")
.antMatchers("/secured/**").authenticated()
.and()
.formLogin().loginPage("/login").failureUrl("/login?error")
.usernameParameter("username").passwordParameter("password")
.and()
.logout().logoutSuccessUrl("/login?logout")
.and()
.exceptionHandling().accessDeniedPage("/login/403")
.and()
.csrf();
}
当我向GET发出/api次请求时,我无需进行身份验证即可访问请求处理程序,但POST请求已发送到403页面
我最初根本没有/api行,并且在GET工作时遇到了同样的问题,但POST需要进行身份验证。
库的版本是:
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.6</maven.compiler.source>
<maven.compiler.target>1.6</maven.compiler.target>
<java-version>1.6</java-version>
<org.springframework-version>4.2.2.RELEASE</org.springframework-version>
<org.springframework.security-version>4.0.3.RELEASE</org.springframework.security-version>
<org.springframework.data-version>1.9.2.RELEASE</org.springframework.data-version>
<org.aspectj-version>1.6.12</org.aspectj-version>
<org.slf4j-version>1.6.6</org.slf4j-version>
<cglib-version>2.2.2</cglib-version>
<com.fasterxml.jackson.core-version>2.6.3</com.fasterxml.jackson.core-version>
<org.hibernate-version>4.1.7.Final</org.hibernate-version>
<mysql-version>5.1.37</mysql-version>
<junit-version>4.11</junit-version>
<org.mockito-version>1.10.19</org.mockito-version>
<org.hamcrest-version>2.0.0.0</org.hamcrest-version>
<com.jayway.jsonpath-version>0.8.1</com.jayway.jsonpath-version>
</properties>
经过更多的研究后,我添加了以下代码,并修复了它,但我仍然不明白为什么我的原始代码不起作用:
@Override
public void configure(WebSecurity webSecurity) throws Exception
{
webSecurity
.ignoring()
// All of Spring Security will ignore the requests
.antMatchers("/api/**"); // APIs use a key
}