sec*_*tar 5 spring-security spring-security-oauth2
我一直在努力理解如何以及何时使用HttpSecurity.requestMatchers. 虽然我使用HttpSecurity.requestMatchers但我有电话authorizeRequests并antMatchers指定安全规则。
我应该什么时候使用
http.requestMatchers()
.antMatchers("/secure/**","/patients/**","/patient/**", "/hello/**")
.and()
.authorizeRequests().antMatchers("/secure/**","/books/**","/book/**", "/hello/**")
.hasAnyRole("ADMIN","USER");
超过
http
.authorizeRequests().antMatchers("/secure/**","/books/**","/hello/**", "/hello/**")
.hasAnyRole("ADMIN","USER");
一个场景将帮助我理解用例 HttpSecurity.requestMatchers
我确实研究过requestMatchers,但我仍然不清楚
小智 6
如果您需要HttpSecurity在应用程序中配置多个,那么您通常会使用HttpSecurity.requestMatchers()或替代(但类似)配置选项之一:
HttpSecurity.requestMatcher(RequestMatcher)HttpSecurity.antMatcher(String)HttpSecurity.mvcMatcher(String)HttpSecurity.regexMatcher(String)参见6.10 Multiple HttpSecurity 中的参考
例如,如果您的应用程序有一组根植于基本路径的 API 和根植于基本路径/api的应用程序管理部分的另一类端点,那么/admin您可以WebSecurityConfigurerAdapter为您的应用程序定义 2x如下:
@EnableWebSecurity
public class SecurityConfig {
@Configuration
@Order(1)
public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/api/**")
.and()
.authorizeRequests()
.antMatchers("/api/endpoint1")
.hasRole("USER1");
}
}
@Configuration
public static class AdminWebSecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/admin/**")
.and()
.authorizeRequests()
.antMatchers("/admin/endpoint1")
.hasRole("ADMIN1");
}
}
}
但是,如果您只提供 1xWebSecurityConfigurerAdapter比您不需要配置HttpSecurity.requestMatchers()(或任何替代方案),因为它会自动默认为HttpSecurity.requestMatcher(AnyRequestMatcher.INSTANCE). 所以对于这些配置情况,这样就足够了:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(...
}
}
希望这是有道理的?
| 归档时间: |
|
| 查看次数: |
1762 次 |
| 最近记录: |