SpringSecurity3.2Java配置
我遵循SpringSecurity3.2doc编写了一个示例应用程序。http.authorizeRequests().anyRequest().authorized()这是否意味着拒绝任何未登录的请求?但我可以访问任何可以访问的url。我缺少什么吗SpringSecurity3.2Java配置,java,spring-mvc,spring-security,Java,Spring Mvc,Spring Security,我遵循SpringSecurity3.2doc编写了一个示例应用程序。http.authorizeRequests().anyRequest().authorized()这是否意味着拒绝任何未登录的请求?但我可以访问任何可以访问的url。我缺少什么吗 @Configuration public class SpringWebMVCApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer
@Configuration
public class SpringWebMVCApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[] { SecurityConfig.class };
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class[] { WebConfig.class };
}
@Override
protected String[] getServletMappings() {
return new String[] { "/" };
}
spring安全配置
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated();
}
}
您可以授予对特定RESTFul Url的访问权,该Url不需要使用关键字“permitAll”和“hasAnyAuthority”进行身份验证
http
.formLogin()
.loginPage("/signin")
.loginProcessingUrl("/signin/authenticate")
.failureUrl("/loginfail")
// Grant all access to login url
.permitAll()
.and()
.logout()
.logoutUrl("/signout")
.logoutSuccessUrl("/signin")
.and()
.authorizeRequests()
.antMatchers("/foo/**").permitAll() //No authentication required
.antMatchers("/").hasAnyAuthority("ROLE_USER","ROLE_ADMIN") //Authentication required (access granted to users with role "ROLE_USER" or "ROLE_ADMIN")
}
您可能还没有向war注册您的springSecurityFilterChain。参见Spring Security中的第3.1.1节 总结如下: SecurityConfig类定义您的Spring安全配置。它配置springSecurityFilterChain过滤器 但是,此筛选器链需要应用于应用程序中的所有URL,并与之注册/关联(以便这些URL被springSecurityFilterChain拦截)。这可以通过如下方式扩展AbstractSecurityWebApplicationInitializer来实现:
import org.springframework.security.web.context.*;
public class SecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
}
在此之后,Spring Security将拦截任何URL,并按照配置应用适当的安全规则。是的,我错过了。谢谢
import org.springframework.security.web.context.*;
public class SecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
}