春季安全性,匿名且已针对同一端点进行身份验证

时间:2019-07-01 13:59:46

标签: java spring-boot security

我有/home个端点:

@RequestMapping(value = "/home", method = RequestMethod.GET)
    public ModelAndView getLoginPage(
            HttpServletResponse response,
            @RequestParam(value = "msg", required = false)  String message{

            modelView.setViewName("landingpage/home");


        return modelView;
    }

它返回html,其中还包含登录信息以及登录用户的仪表板。因此,对于经过身份验证的用户,它是开放的:

http
        .authorizeRequests()
        .antMatchers("/", "/home", "/book/**").authenticated()

但在登录失败后,也必须将其打开,因为它将消息发送到/ home端点:

public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception)
....
     String exceptionMessage = exception.getMessage();
        String msgParam = "?msg=" + EncryptionUtil.encode(exceptionMessage);
        response.sendRedirect(/home + msgParam);

所以我想要的是,

localhost:8080/home -> should be open to onlyauthenticated
localhost:8080/home?msg=asdsada -> should be open to all users

我尝试添加此

  .antMatchers("/reset-password", "/login", "/home/**").anonymous()

所有班级都变成这样:

        .antMatchers("/", "/home", "/deposit/**").authenticated()
         .antMatchers("/reset-password", "/login", "/home/**").anonymous()

但是当我去

http://localhost:8080/home?msg=BAcQreS-4_K54e3jWSksds

无法进行,因为不允许未经身份验证的人。

我该怎么办?

0 个答案:

没有答案