Spring security 使用 HttpSecurity 授权对 url 和方法的请求
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/28907030/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring security authorize request for url & method using HttpSecurity
提问by ilopezluna
Is there any way to authorize post request to a specific url using org.springframework.security.config.annotation.web.builders.HttpSecurity?
有什么方法可以使用 授权对特定 url 的发布请求org.springframework.security.config.annotation.web.builders.HttpSecurity?
I'm using HttpSecurityas:
我正在使用HttpSecurity:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterAfter(new CsrfCookieGeneratorFilter(), CsrfFilter.class)
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.rememberMe()
.rememberMeServices(rememberMeServices)
.key(env.getProperty("jhipster.security.rememberme.key"))
.and()
.formLogin()
.loginProcessingUrl("/api/authentication")
.successHandler(ajaxAuthenticationSuccessHandler)
.failureHandler(ajaxAuthenticationFailureHandler)
.usernameParameter("j_username")
.passwordParameter("j_password")
.permitAll()
.and()
.logout()
.logoutUrl("/api/logout")
.logoutSuccessHandler(ajaxLogoutSuccessHandler)
.deleteCookies("JSESSIONID")
.permitAll()
.and()
.headers()
.frameOptions()
.disable()
.authorizeRequests()
.antMatchers("/api/register").permitAll()
.antMatchers("/api/activate").permitAll()
.antMatchers("/api/authenticate").permitAll()
.antMatchers("/api/logs/**").hasAuthority(AuthoritiesConstants.ADMIN)
.antMatchers("/api/subscriptions").permitAll()
.antMatchers("/api/**").authenticated();
}
I would like to allow POST requests to /api/subscription path. Only POST. Thanks.
我想允许 POST 请求到 /api/subscription 路径。只有 POST。谢谢。
回答by Matt C
Take a look here https://github.com/spring-projects/spring-data-examples/tree/master/rest/securitywhich has
看看这里https://github.com/spring-projects/spring-data-examples/tree/master/rest/security有
http
.httpBasic().and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/employees").hasRole("ADMIN")
.antMatchers(HttpMethod.PUT, "/employees/**").hasRole("ADMIN")
.antMatchers(HttpMethod.PATCH, "/employees/**").hasRole("ADMIN");
回答by Patrick
I know this question is a bit old but I don't believe disabling csrf support is an acceptable answer. I had this same problem but don't feel good able using csrf.disable(). Instead I added the following line at the bottom of the page inside the form tags.
我知道这个问题有点老了,但我不认为禁用 csrf 支持是可以接受的答案。我有同样的问题,但使用 csrf.disable() 感觉不太好。相反,我在页面底部的表单标签内添加了以下行。
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
回答by Akitha_MJ
Just Mention the path you need to remove Authentication like this
只需提及您需要像这样删除身份验证的路径
http
.httpBasic().and()
.authorizeRequests()
.antMatchers("/employees" , "/employees/**")
.permitAll().anyRequest().authenticated()
.and().csrf().disable()
