这是我的配置代码段
@Override
public void configure(HttpSecurity http) throws Exception {
http.
authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/api/user/**").hasAnyAuthority("ROLE_ADMIN")
.antMatchers("/api/status/**").hasAuthority("ROLE_ADMIN").anyRequest()
.authenticated()
.and()
.exceptionHandling()
.accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
在此,我需要ROLE_ADMIN仅访问POST和PUT httpmethods。他应该无法访问GET或DELETE httpmethod。我需要在单个.antMatchers()方法中完成此操作。
我怎么能这样做?
答案 0 :(得分:1)
看看今年春天example project。您可以为每个路径和 HTTP谓词定义匹配器。
http .authorizeRequests() .antMatchers(HttpMethod.POST, "/employees").hasRole("ADMIN") .antMatchers(HttpMethod.PUT, "/employees/**").hasRole("ADMIN") .antMatchers(HttpMethod.PATCH, "/employees/**").hasRole("ADMIN")