我们什么时候使用antMatcher()vs antMatchers()?
例如:
http
.antMatcher("/high_level_url_A/**")
.authorizeRequests()
.antMatchers("/high_level_url_A/sub_level_1").hasRole('USER')
.antMatchers("/high_level_url_A/sub_level_2").hasRole('USER2')
.somethingElse()
.anyRequest().authenticated()
.and()
.antMatcher("/high_level_url_B/**")
.authorizeRequests()
.antMatchers("/high_level_url_B/sub_level_1").permitAll()
.antMatchers("/high_level_url_B/sub_level_2").hasRole('USER3')
.somethingElse()
.anyRequest().authenticated()
.and()
...
我期待的是,
/high_level_url_A/**应该经过身份验证+ /high_level_url_A/sub_level_1仅适用于USER且/high_level_url_A/sub_level_2仅适用于USER2/high_level_url_B/**应该被认证+ /high_level_url_B/sub_level_1用于公共访问,并且/high_level_url_A/sub_level_2仅用于USER3.我看到最近的例子不包括antMatcher()这些天.这是为什么?是否antMatcher()不再需要?
我无法在SO上找到答案(例如,这里 。SpringSecurity:类扩展BasicAuthenticationEntryPoint中的Commence方法,没有被调用)
我只想覆盖BasicAuthenticationEntryPoint而不覆盖其他过滤器和其他人员:
<bean id="authenticationEntryPoint" name="authenticationEntryPoint"
class="com.myclass.BasicAuthenticationEntryPoint">
<property name="realmName" value="myapp" />
</bean>
不幸的是,它不起作用,我需要配置过滤器。
<security:http auto-config="true" ..
<sec:custom-filter ref="basicAuthenticationFilter"
before="BASIC_AUTH_FILTER" />
</sec:http>
<bean id="basicAuthenticationFilter"
class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<constructor-arg name="authenticationManager" ref="authenticationManager" />
<constructor-arg name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>
然后我有这个警告。
WARN 2015-10-29 09:44:05,330 [localhost-startStop-1::DefaultFilterChainValidator] [user:system] Possible error: Filters at position 2 and 3 are both instances of org.springframework.security.web.authentication.www.BasicAuthenticationFilter
因此,我需要禁用自动配置,但我不想这样做:
<security:http auto-config="false" ...
在SpringSecurity 4中重写BasicAuthenticationEntryPoint的最简单方法是什么?