SpringBoot&x2B;休息+;安全-所有访问打开或关闭
我想做的应该很简单: 具有3种不同安全级别的REST服务:SpringBoot&x2B;休息+;安全-所有访问打开或关闭,spring,rest,security,spring-boot,configuration,Spring,Rest,Security,Spring Boot,Configuration,我想做的应该很简单: 具有3种不同安全级别的REST服务: 所有人都可以访问的“公共”REST服务 针对“用户”的“受保护”REST服务 “管理员”的“私有”REST服务 但要么我可以访问全部,要么我可以使用当前配置访问所有,因为没有BasicAuth,我总是可以访问所有 访问此资源需要完全身份验证 用“uuu”+“ppp”我总是 坏凭证 顺便说一下,我使用SpringBoot 1.5.3 import org.springframework.beans.factory.annota
- 所有人都可以访问的“公共”REST服务
- 针对“用户”的“受保护”REST服务
- “管理员”的“私有”REST服务
- 访问此资源需要完全身份验证
- 坏凭证
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@Configuration
@EnableWebSecurity
public class RestSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("aaa").password("ppp").roles("USER", "ADMIN");
auth.inMemoryAuthentication().withUser("uuu").password("ppp").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/public/**").permitAll()
.antMatchers("/protected/**").hasRole("USER")
.antMatchers("/private/**").hasRole("ADMIN")
.and().httpBasic()
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); // We don't need sessions to be created.
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers(HttpMethod.OPTIONS, "/**"); /* To allow Pre-flight [OPTIONS] request from browser */
}
}
OP发现他们的解决方案确实有效。组件扫描出现问题,因为我的Rest项目是我的DAO和存储库项目的子项目
@SpringBootApplication
@EnableAutoConfiguration
@ComponentScan({"com.leycarno.base", "com.leycarno.rest"}) // now we're listen to all the nice components :-)
@EnableJpaRepositories("com.leycarno.base.repositories")
@EntityScan("com.leycarno.base.models")
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
OP发现他们的解决方案确实有效。组件扫描出现问题,因为我的Rest项目是我的DAO和存储库项目的子项目
@SpringBootApplication
@EnableAutoConfiguration
@ComponentScan({"com.leycarno.base", "com.leycarno.rest"}) // now we're listen to all the nice components :-)
@EnableJpaRepositories("com.leycarno.base.repositories")
@EntityScan("com.leycarno.base.models")
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
auth.inMemoryAuthentication().带用户(“aaa”).密码(“ppp”).角色(“用户”、“管理员”)和()带用户(“uuu”).密码(“ppp”).角色(“用户”)
auth.inMemoryAuthentication().带用户(“aaa”).密码(“ppp”).角色(“用户”、“管理员”)和().带用户(“UUUUU”).密码(“ppp”).角色(“用户”)