我尝试在一个spring应用程序中为不同的url设置不同的身份验证规则。
对于所有公共休息请求/rest/**
,我想设置基本身份验证,对于内部休息呼叫,/internal/**
,我需要基于ip的访问权限,以便某些已定义的主机无需身份验证即可访问。
我尝试了以下设置:
@Configuration
@Order(1)
public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests().antMatchers("rest/**").authenticated().and().httpBasic().and().csrf().disable();
}
}
@Configuration
@Order(2)
public static class Api2WebSecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests().antMatchers("/internal/**").access("hasIpAddress('100.100.100.100/16')").anyRequest().authenticated();
}
}
但是,如果我从本地主机调用内部端点,则不会收到我期望的403错误
答案 0 :(得分:0)
经过多次尝试和错误后,我想到了:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests().antMatchers("/rest/**").authenticated().and().httpBasic().and().csrf().disable().authorizeRequests()
.antMatchers("/internal/**").access("hasIpAddress('100.100.100.100/16')").anyRequest().permitAll().anyRequest().denyAll();
}