我有两种类型的网址,一种是安全的,一种是不安全的,例如注册和登录
我希望“注册”和“登录”绕过安全性和过滤器,而所有其他URL必须通过过滤器和安全性。
以下是我的安全配置代码,但不起作用。
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
@Configuration
public class AppSecurity extends WebSecurityConfigurerAdapter
{
@Autowired
private CustomUserDetailsService userDetailsService;
@Autowired
TempTokenGenerator tempTokenGenerator;
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService)
.passwordEncoder(getPasswordEncoder());
}
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("notsecured/signin");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests()
.antMatchers("/","**secured/**").authenticated()
.and().logout().permitAll()
.and()
.apply(new TempConfigurer(tempTokenGenerator));
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
return source;
}
我想念什么?我该怎么做才能在身份验证和过滤器中包含“安全的” URL,同时从身份验证和过滤器中排除“不安全的” URL。
web.ignoring().antMatchers("notsecured/signin");
如果我放
似乎不起作用.anyRequest().authenticated()
与
http.authorizeRequests() to make secured urls work.
如果我放
.antMatchers("/","**/secured/**").authenticated()
使用
.anyRequest().permitAll()
它也不起作用。
答案 0 :(得分:0)
使用configure(HttpSecurity http)方法保护您的请求端点
http.csrf().disable()
.cors().and()
.authorizeRequests()
.antMatchers("/notsecured/**").permitAll()
.antMatchers("/secured/**").fullyAuthenticated()
.and().sessionManagement...
.and().formLogin()
...
使用configure(WebSecurity web)方法忽略静态资源,例如图片,css,...