我试图使get端点称为"/Proposetas/公共汽车/Proposetas publicas";接受匿名访问,但permitAll((不允许这样做。
这是我的PUBLIC_MATCHERS_GET,其中包含我要为匿名访问打开的端点:
private static final String[] PUBLIC_MATCHERS_GET = {
"/",
"/editais/**",
"/propostas/buscar/propostas-publicas",
"/swagger-ui.html/**",
"/v2/api-docs/**",
"/webjars/**",
"/swagger-resources/**"
};
重写的配置方法(在我扩展WebSecurityConfigurerAdapter的自定义配置类中(具有以下配置方法:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and().csrf().disable()
.exceptionHandling().authenticationEntryPoint(new Http403ForbiddenEntryPoint())
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, ADMIN_MATCHERS_GET).hasAnyAuthority("ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.PUT, ADMIN_MATCHERS_PUT).hasAnyAuthority("ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.DELETE, ADMIN_MATCHERS_DELETE).hasAnyAuthority("ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.POST, ADMIN_MATCHERS_POST).hasAnyAuthority("ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.GET, PROPONENTE_MATCHERS_GET).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.POST, PROPONENTE_MATCHERS_POST).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.PUT, PROPONENTE_MATCHERS_PUT).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.DELETE, PROPONENTE_MATCHERS_DELETE).hasAnyAuthority("ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.GET, DISCENTE_MATCHERS_GET).hasAnyAuthority("ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.GET, USUARIO_MATCHERS_GET).hasAnyAuthority("ROLE_U", "ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.PUT, USUARIO_MATCHERS_PUT).hasAnyAuthority("ROLE_U", "ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.POST, USUARIO_MATCHERS_POST).hasAnyAuthority("ROLE_U", "ROLE_D", "ROLE_P", "ROLE_A", "ROLE_R")
.antMatchers(HttpMethod.GET, PUBLIC_MATCHERS_GET).permitAll()
.antMatchers(HttpMethod.POST, PUBLIC_MATCHERS_POST).permitAll()
.antMatchers(PUBLIC_MATCHERS).permitAll()
.antMatchers("/oauth2/**", "/oauth2/*", "/oauth/*").permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated()
// .anyRequest().permitAll()
.and()
.oauth2Login()
.authorizationEndpoint()
.baseUri("/oauth2/authorize")
.authorizationRequestRepository(cookieAuthorizationRequestRepository())
.and()
.redirectionEndpoint()
.baseUri("/login/oauth2/code/*")
.and()
.userInfoEndpoint()
.userService(customOAuth2UserService)
.and()
.successHandler(oAuth2AuthenticationSuccessHandler)
.failureHandler(oAuth2AuthenticationFailureHandler);
http.addFilter(new JWTAuthenticationFilter(authenticationManager(), jwtUtil));
http.addFilter(new JWTAuthorizationFilter(authenticationManager(), jwtUtil, userDetailsService));
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.logout()
.logoutSuccessUrl("/")
.clearAuthentication(true)
.permitAll();
// Line to use H2 web console
http.headers().frameOptions().sameOrigin();
}
在Spring中,安全顺序很重要。第一场比赛是习惯的比赛。把你的火柴上移。下面是我在项目中使用的一个例子:
http
.httpBasic().disable()
.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.mvcMatchers(AUTHENTICATION_ENDPOINTS).permitAll()
.mvcMatchers(ADMIN_ENDPOINTS).hasRole(ADMIN)
.anyRequest().authenticated();