Java 如何在Spring MVC中允许访问选定的REST URL
我有许多用Spring MVC构建的REST控制器,例如:Java 如何在Spring MVC中允许访问选定的REST URL,java,spring,spring-mvc,web.xml,Java,Spring,Spring Mvc,Web.xml,我有许多用Spring MVC构建的REST控制器,例如: @RequestMapping(value = "employee") EmplyoeeController @RequestMapping(value = "office") OfficeController @RequestMapping(value = "school") SchoolController @RequestMapping(value = "admin") AdminController @RequestMa
@RequestMapping(value = "employee")
EmplyoeeController
@RequestMapping(value = "office")
OfficeController
@RequestMapping(value = "school")
SchoolController
@RequestMapping(value = "admin")
AdminController
@RequestMapping(value = "report")
ReportController
任何人都只能使用../api/admin
和../api/report
资源。
我不想删除或注释其他控制器中的请求映射。如何在web.xml中实现这一点
问题是我们正在发布一个精简版的web应用程序,但是捆绑了许多控制器。在我们的spring-security.xml中,我们有:
<security:intercept-url
pattern="/api/**"
access="isAuthenticated()"
/>
如果用户经过身份验证,那么这将允许他们访问/api/**
下的所有资源,如/api/admin
,以及/api/office
,/api/school
/api/employee
,等等。。。
我们希望经过身份验证的用户访问的功能只有/api/admin
和/api/report
,即使他们经过身份验证,也没有其他功能。
我们还不需要为用户分配任何角色。您可以使用Spring Security来实现这一点。教程在这里: 在web.xml中,您可以添加以下内容:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
some.package.LocalSecurityConfig
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
上下文配置位置
some.package.LocalSecurityConfig
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
您可以这样定义LocalSecurityConfig:
package some.package;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class LocalSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> configurer = new InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder>();
configurer.withUser("user").password("password").authorities("ROLE_USER");
auth.apply(configurer);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/employee", "/office", "/school").authenticated()
.anyRequest().permitAll().and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
}
package some.package;
导入org.springframework.context.annotation.Bean;
导入org.springframework.context.annotation.Configuration;
导入org.springframework.context.annotation.Profile;
导入org.springframework.security.authentication.AuthenticationManager;
导入org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
导入org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManager配置器;
导入org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
导入org.springframework.security.config.annotation.web.builders.HttpSecurity;
导入org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
导入org.springframework.security.config.annotation.web.configuration.websecurityConfigureAdapter;
@配置
@启用Web安全性
公共类LocalSecurityConfig扩展了WebSecurity配置适配器{
@凌驾
public void configure(AuthenticationManagerBuilder auth)引发异常{
InMemoryUserDetailsManager配置器=新的InMemoryUserDetailsManager配置器();
配置器。具有用户(“用户”)。密码(“密码”)。权限(“角色用户”);
授权应用(配置器);
}
@豆子
@凌驾
公共AuthenticationManager authenticationManagerBean()引发异常{
返回super.authenticationManagerBean();
}
@凌驾
受保护的无效配置(HttpSecurity http)引发异常{
http
.授权请求()
.antMatchers(“/employee”、“/office”、“/school”).authenticated()
.anyRequest().permitAll()和()
.formLogin()
.login页面(“/login”)
.permitAll()
.及()
.logout()
.permitAll();
}
}
dispatcher/admin/*/report/*