分享程序员开发的那些事...
更新时间:2023-02-17 19:59:51
你的例子意味着Spring(Web)安全忽略了Url-Pattern与您定义的表达式匹配(/ static / **)。安全性会跳过此Url,因此不受保护。
Your example mean that Spring (Web) Security is ignoring Url-Pattern that match the Expression you have defined ("/static/**"). This Url is skipped by Security, therefore non-secured.
允许添加Spring Security应忽略的RequestMatcher实例.Spring Security提供的Web安全(包括SecurityContext)将无法在匹配的HttpServletRequest上使用。通常请求注册应该只是静态资源。对于动态请求,请考虑将请求映射为允许所有用户。
Allows adding RequestMatcher instances that should that Spring Security should ignore. Web Security provided by Spring Security (including the SecurityContext) will not be available on HttpServletRequest that match. Typically the requests that are registered should be that of only static resources. For requests that are dynamic, consider mapping the request to allow all users instead.
您可以拥有尽可能多的Url-Pattern安全或不安全。
使用Spring Security,您可以为应用程序的Web层提供身份验证和访问控制功能。您还可以停止具有指定角色的用户访问部分Url等等...
看看这里:
http://docs.spring.io/spring-security/site/docs/current/reference/html/
You can have as many Url-Pattern secured or unsecured. With Spring Security you have authentication and access-control features for the web layer of an application. You can also restict users who have a specified role to access a partitial Url and so on... Have a look here: http://docs.spring.io/spring-security/site/docs/current/reference/html/
订购网址格式优先级
匹配时针对传入请求的指定模式,匹配按声明元素的顺序完成。因此,最具体的匹配模式应该是第一个,最常见的应该是最后一个。
When matching the specified patterns against an incoming request, the matching is done in the order in which the elements are declared. So the most specific matches patterns should come first and the most general should come last.
http.authorizeRequests()方法有多个子元素
每个匹配器按照声明的顺序考虑。
There are multiple children to the http.authorizeRequests() method each matcher is considered in the order they were declared.
模式总是按照定义的顺序进行评估。因此,重要的是在列表中定义的更具体的模式比不太具体的模式更高。
Patterns are always evaluated in the order they are defined. Thus it is important that more specific patterns are defined higher in the list than less specific patterns.
示例1
Generell使用WebSecurity ignore()方法省略了Spring Security,并且Spring Security的所有功能都不可用。
WebSecurity基于HttpSecurity。在Xml-Configuration中,您可以编写< http pattern =/ resources / **security =none/> 。
Example 1
Generell use of WebSecurity ignoring() Method omits Spring Security and none of Spring Security’s features will be available.
WebSecurity is based above HttpSecurity. In Xml-Configuration you can write <http pattern="/resources/**" security="none"/>.
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**")
.antMatchers("/publics/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/publics/**").hasRole("USER") // no effect
.anyRequest().authenticated();
}
以上示例中的WebSecurity让Spring忽略 / resources / ** 和 / publics / ** 。因此,HttpSecurity中的 .antMatchers(/ publics / **)。hasRole(USER)未被考虑。
WebSecurity in the above example let Spring ignoring /resources/** and /publics/** . Therefore the .antMatchers("/publics/**").hasRole("USER") in HttpSecurity is unconsidered.
这将完全省略安全过滤器链中的请求模式。
请注意,与此路径匹配的任何内容都不会应用任何身份验证或授权服务,并且可以免费访问。
This will omit the request pattern from the security filter chain entirely. Note that anything matching this path will then have no authentication or authorization services applied and will be freely accessible.
示例2
始终按顺序评估模式。以下匹配无效,因为第一个匹配每个请求并且永远不会应用第二个匹配:
Example 2
Patterns are always evaluated in order. The below matching is invalid because the first matches every request and will never apply the second match:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**").hasRole("USER")
.antMatchers("/admin/**").hasRole("ADMIN"):
}