什么时候使用 Spring Security`s antMatcher()?
When to use Spring Security`s antMatcher()?
我们什么时候使用 antMatcher() 与 antMatchers()?
例如:
http
.antMatcher("/high_level_url_A/**")
.authorizeRequests()
.antMatchers("/high_level_url_A/sub_level_1").hasRole('USER')
.antMatchers("/high_level_url_A/sub_level_2").hasRole('USER2')
.somethingElse()
.anyRequest().authenticated()
.and()
.antMatcher("/high_level_url_B/**")
.authorizeRequests()
.antMatchers("/high_level_url_B/sub_level_1").permitAll()
.antMatchers("/high_level_url_B/sub_level_2").hasRole('USER3')
.somethingElse()
.anyRequest().authenticated()
.and()
...
我期望的是,
- 任何与
/high_level_url_A/** 匹配的请求都应该经过身份验证 + /high_level_url_A/sub_level_1 仅针对 USER,/high_level_url_A/sub_level_2 仅针对 USER2
- 任何与
/high_level_url_B/** 匹配的请求都应该经过身份验证 + /high_level_url_B/sub_level_1 才能获得 public 访问权限,/high_level_url_A/sub_level_2 仅适用于 USER3。
- 我不关心的任何其他模式 - 但应该是 public ?
我最近看到最新的例子不包括 antMatcher()。这是为什么?不再需要 antMatcher() 了吗?
我正在更新我的答案...
antMatcher()是HttpSecurity的方法,与authorizeRequests()没有关系。基本上,http.antMatcher() 告诉 Spring 仅在路径匹配此模式时配置 HttpSecurity。
然后使用 authorizeRequests().antMatchers() 将授权应用到您在 antMatchers() 中指定的一个或多个路径。如permitAll()或hasRole('USER3')。只有匹配第一个 http.antMatcher() 时才会应用这些。
你需要antMatcher for multiple HttpSecurity, see Spring Security Reference:
5.7 Multiple HttpSecurity
We can configure multiple HttpSecurity instances just as we can have multiple <http> blocks. The key is to extend the WebSecurityConfigurationAdapter multiple times. For example, the following is an example of having a different configuration for URL’s that start with /api/.
@EnableWebSecurity
public class MultiHttpSecurityConfig {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) { 1
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER").and()
.withUser("admin").password("password").roles("USER", "ADMIN");
}
@Configuration
@Order(1) 2
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/api/**") 3
.authorizeRequests()
.anyRequest().hasRole("ADMIN")
.and()
.httpBasic();
}
}
@Configuration 4
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin();
}
}
}
1 Configure Authentication as normal
2 Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.
3 The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/
4 Create another instance of WebSecurityConfigurerAdapter. If the URL does not start with /api/ this configuration will be used. This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).
在你的情况下你不需要 antMatcher,因为你只有一个配置。您修改后的代码:
http
.authorizeRequests()
.antMatchers("/high_level_url_A/sub_level_1").hasRole('USER')
.antMatchers("/high_level_url_A/sub_level_2").hasRole('USER2')
.somethingElse() // for /high_level_url_A/**
.antMatchers("/high_level_url_A/**").authenticated()
.antMatchers("/high_level_url_B/sub_level_1").permitAll()
.antMatchers("/high_level_url_B/sub_level_2").hasRole('USER3')
.somethingElse() // for /high_level_url_B/**
.antMatchers("/high_level_url_B/**").authenticated()
.anyRequest().permitAll()
基本上 http.antMatcher() 告诉 Spring 仅在路径匹配此模式时配置 HttpSecurity。
我们什么时候使用 antMatcher() 与 antMatchers()?
例如:
http
.antMatcher("/high_level_url_A/**")
.authorizeRequests()
.antMatchers("/high_level_url_A/sub_level_1").hasRole('USER')
.antMatchers("/high_level_url_A/sub_level_2").hasRole('USER2')
.somethingElse()
.anyRequest().authenticated()
.and()
.antMatcher("/high_level_url_B/**")
.authorizeRequests()
.antMatchers("/high_level_url_B/sub_level_1").permitAll()
.antMatchers("/high_level_url_B/sub_level_2").hasRole('USER3')
.somethingElse()
.anyRequest().authenticated()
.and()
...
我期望的是,
- 任何与
/high_level_url_A/**匹配的请求都应该经过身份验证 +/high_level_url_A/sub_level_1仅针对 USER,/high_level_url_A/sub_level_2仅针对 USER2 - 任何与
/high_level_url_B/**匹配的请求都应该经过身份验证 +/high_level_url_B/sub_level_1才能获得 public 访问权限,/high_level_url_A/sub_level_2仅适用于 USER3。 - 我不关心的任何其他模式 - 但应该是 public ?
我最近看到最新的例子不包括 antMatcher()。这是为什么?不再需要 antMatcher() 了吗?
我正在更新我的答案...
antMatcher()是HttpSecurity的方法,与authorizeRequests()没有关系。基本上,http.antMatcher() 告诉 Spring 仅在路径匹配此模式时配置 HttpSecurity。
然后使用 authorizeRequests().antMatchers() 将授权应用到您在 antMatchers() 中指定的一个或多个路径。如permitAll()或hasRole('USER3')。只有匹配第一个 http.antMatcher() 时才会应用这些。
你需要antMatcher for multiple HttpSecurity, see Spring Security Reference:
5.7 Multiple HttpSecurity
We can configure multiple HttpSecurity instances just as we can have multiple
<http>blocks. The key is to extend theWebSecurityConfigurationAdaptermultiple times. For example, the following is an example of having a different configuration for URL’s that start with/api/.@EnableWebSecurity public class MultiHttpSecurityConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { 1 auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER").and() .withUser("admin").password("password").roles("USER", "ADMIN"); } @Configuration @Order(1) 2 public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/api/**") 3 .authorizeRequests() .anyRequest().hasRole("ADMIN") .and() .httpBasic(); } } @Configuration 4 public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin(); } } }1 Configure Authentication as normal
2 Create an instance of
WebSecurityConfigurerAdapterthat contains@Orderto specify whichWebSecurityConfigurerAdaptershould be considered first.3 The
http.antMatcherstates that thisHttpSecuritywill only be applicable to URLs that start with/api/4 Create another instance of
WebSecurityConfigurerAdapter. If the URL does not start with/api/this configuration will be used. This configuration is considered afterApiWebSecurityConfigurationAdaptersince it has an@Ordervalue after1(no@Orderdefaults to last).
在你的情况下你不需要 antMatcher,因为你只有一个配置。您修改后的代码:
http
.authorizeRequests()
.antMatchers("/high_level_url_A/sub_level_1").hasRole('USER')
.antMatchers("/high_level_url_A/sub_level_2").hasRole('USER2')
.somethingElse() // for /high_level_url_A/**
.antMatchers("/high_level_url_A/**").authenticated()
.antMatchers("/high_level_url_B/sub_level_1").permitAll()
.antMatchers("/high_level_url_B/sub_level_2").hasRole('USER3')
.somethingElse() // for /high_level_url_B/**
.antMatchers("/high_level_url_B/**").authenticated()
.anyRequest().permitAll()
基本上 http.antMatcher() 告诉 Spring 仅在路径匹配此模式时配置 HttpSecurity。