我想使用Java Config在Spring Boot中定义类似于此XML的内容.
<http pattern="/webservices/**" security="none"/>
我需要一种不同的方法来保护它们,不能进行表单登录.保护他们将在以后到来.现在,我想停止使用http.formLogin()来保护它们.
我已经覆盖了WebSecurityConfigurerAdapter.configure().我找不到要说的API,像这样:
http.securityNone().antMatchers("/webservices")
这是我的configure()方法:
@Override
protected void configure(HttpSecurity http) throws Exception
http.csrf().disable();
http.headers().frameOptions().disable();
http.authorizeRequests()
.antMatchers("/resources/**",
//"/services/**", THIS LOGS IN AUTOMATICALLY AS 'ANONYMOUS'. NO GOOD!
//"/remoting/**", THIS LOGS IN AUTOMATICALLY AS 'ANONYMOUS'. NO GOOD!
"/pages/login",
"/pages/loginFailed").permitAll()
// Only authenticated can access these URLs and HTTP METHODs
.antMatchers("/secured/**").authenticated()
.antMatchers(HttpMethod.HEAD,"/**").authenticated()
.antMatchers(HttpMethod.GET,"/**").authenticated()
.antMatchers(HttpMethod.POST,"/**").authenticated()
.antMatchers(HttpMethod.PUT,"/**").authenticated()
.antMatchers(HttpMethod.DELETE,"/**").authenticated();
// Accept FORM-based authentication
http.formLogin()
.failureUrl("/pages/loginFailed")
.defaultSuccessUrl("/")
.loginPage("/pages/login")
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/pages/logout"))
.logoutSuccessUrl("/pages/login")
.permitAll();
http.formLogin().successHandler(new AppLoginSuccessHandler());
}
Run Code Online (Sandbox Code Playgroud) 我在jhipster上有一个问题:1.10.2项目.
当客户端会话到期时,我在刷新一些页面时遇到了cookie盗窃攻击.我在这里找到了原因.当我刷新页面时,第一个请求刷新remember-me令牌,使旧令牌无效,并将结果发送到会话中存储.但与此同时,另一个请求已经消失了旧的cookie记住我的令牌.
我该如何解决这个问题?
谢谢