Fatal编程技术网
  • java/
  • SpringSecurity3.2Java配置

SpringSecurity3.2Java配置

java spring-mvc spring-security

SpringSecurity3.2Java配置,java,spring-mvc,spring-security,Java,Spring Mvc,Spring Security,我遵循SpringSecurity3.2doc编写了一个示例应用程序。http.authorizeRequests().anyRequest().authorized()这是否意味着拒绝任何未登录的请求?但我可以访问任何可以访问的url。我缺少什么吗 @Configuration public class SpringWebMVCApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer

我遵循SpringSecurity3.2doc编写了一个示例应用程序。http.authorizeRequests().anyRequest().authorized()这是否意味着拒绝任何未登录的请求?但我可以访问任何可以访问的url。我缺少什么吗

@Configuration
public class SpringWebMVCApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {

    @Override
    protected Class<?>[] getRootConfigClasses() {
        return new Class[] { SecurityConfig.class };
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        return new Class[] { WebConfig.class };
    }

    @Override
    protected String[] getServletMappings() {
        return new String[] { "/" };
    }
spring安全配置

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .authorizeRequests()
            .anyRequest().authenticated();
    }
}
您可以授予对特定RESTFul Url的访问权,该Url不需要使用关键字“permitAll”和“hasAnyAuthority”进行身份验证

           http 
             .formLogin() 
                  .loginPage("/signin") 
                  .loginProcessingUrl("/signin/authenticate") 
                  .failureUrl("/loginfail") 
                  // Grant all access to login url 
                  .permitAll() 
                  .and() 
              .logout() 
                .logoutUrl("/signout") 
                .logoutSuccessUrl("/signin") 
                .and() 
                .authorizeRequests() 
                    .antMatchers("/foo/**").permitAll() //No authentication required 
                    .antMatchers("/").hasAnyAuthority("ROLE_USER","ROLE_ADMIN") //Authentication required (access granted to users with role "ROLE_USER" or "ROLE_ADMIN")

      }
您可能还没有向war注册您的springSecurityFilterChain。参见Spring Security中的第3.1.1节

总结如下:

SecurityConfig类定义您的Spring安全配置。它配置springSecurityFilterChain过滤器

但是,此筛选器链需要应用于应用程序中的所有URL,并与之注册/关联(以便这些URL被springSecurityFilterChain拦截)。这可以通过如下方式扩展AbstractSecurityWebApplicationInitializer来实现:

import org.springframework.security.web.context.*;

public class SecurityWebApplicationInitializer
      extends AbstractSecurityWebApplicationInitializer {

}
在此之后,Spring Security将拦截任何URL,并按照配置应用适当的安全规则。

是的,我错过了。谢谢 
import org.springframework.security.web.context.*;

public class SecurityWebApplicationInitializer
      extends AbstractSecurityWebApplicationInitializer {

}