Java 在 WebSecurityConfigurerAdapter 中正确使用 WebSecurity
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/31995221/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Correct use of WebSecurity in WebSecurityConfigurerAdapter
提问by JeanValjean
In my Spring Bootapplication based on version 1.3.0.BUILD-SNAPSHOT, I have the static resources (images, css, js) in the staticfolder under resources.
在我基于1.3.0.BUILD-SNAPSHOT版本的Spring Boot应用程序中,我在.staticresources
I see some examples related to security configuration like the following:
我看到一些与安全配置相关的示例,如下所示:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(final WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/static/**");
}
}
Is that example correct?
What should be the effect?
How to verify that it works (e.g. doing a request to localhost:8080/something?
What cool things can I do with WebSecurity?
那个例子正确吗?应该是什么效果?如何验证它是否有效(例如向 发出请求localhost:8080/something?我可以用什么很酷的东西WebSecurity?
采纳答案by sven.kwiotek
Your example means that Spring (Web) Security is ignoringURL patterns that match the expression you have defined ("/static/**"). This URL is skipped by Spring Security, therefore not secured.
您的示例意味着 Spring (Web) Security 将忽略与您定义的表达式匹配的 URL 模式("/static/**")。这个 URL 被 Spring Security 跳过,因此不安全。
Allows adding RequestMatcher instances that should that Spring Security should ignore. Web Security provided by Spring Security (including the SecurityContext) will not be available on HttpServletRequest that match. Typically the requests that are registered should be that of only static resources. For requests that are dynamic, consider mapping the request to allow all users instead.
允许添加 Spring Security 应该忽略的 RequestMatcher 实例。Spring Security 提供的 Web Security(包括 SecurityContext)在匹配的 HttpServletRequest 上将不可用。通常,注册的请求应该只是静态资源的请求。对于动态请求,请考虑将请求映射为允许所有用户。
See WebSecurityAPI documentation for more info.
有关更多信息,请参阅WebSecurityAPI 文档。
You can have as many URL patterns secured or unsecured as you want.
With Spring Security you have authenticationand access controlfeatures for the web layer of an application. You can also restrict users who have a specified role to access a particular URL and so on.
您可以根据需要拥有任意数量的安全或不安全的 URL 模式。
使用 Spring Security,您可以为应用程序的 Web 层提供身份验证和访问控制功能。您还可以限制具有指定角色的用户访问特定 URL 等。
Read the Spring Security reference for more details:
http://docs.spring.io/spring-security/site/docs/current/reference/html/
阅读 Spring Security 参考以获取更多详细信息:http:
//docs.spring.io/spring-security/site/docs/current/reference/html/
Ordering Priority of URL Patterns
URL 模式的排序优先级
When matching the specified patterns against an incoming request, the matching is done in the order in which the elements are declared. So the most specific matches patterns should come first and the most general should come last.
There are multiple children to the http.authorizeRequests() method each matcher is considered in the order they were declared.
Patterns are always evaluated in the order they are defined. Thus it is important that more specific patterns are defined higher in the list than less specific patterns.
将指定的模式与传入的请求进行匹配时,将按照元素声明的顺序进行匹配。所以最具体的匹配模式应该放在最前面,最通用的应该放在最后。
http.authorizeRequests() 方法有多个子项,每个匹配器都按照它们被声明的顺序来考虑。
模式总是按照定义的顺序进行评估。因此,与不太具体的模式相比,在列表中定义更具体的模式是很重要的。
Read here for more details:
http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#filter-security-interceptor
阅读此处了解更多详细信息:http:
//docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#filter-security-interceptor
Example 1
示例 1
General use of WebSecurity ignoring()method omits Spring Security and none of Spring Security's features will be available.
WebSecurity is based above HttpSecurity
(in an XML configuration you can write this: <http pattern="/resources/**" security="none"/>).
WebSecurityignoring()方法的一般使用会忽略 Spring Security,并且 Spring Security 的所有功能都将不可用。WebSecurity 基于 HttpSecurity
(在 XML 配置中,您可以这样写:)<http pattern="/resources/**" security="none"/>。
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**")
.antMatchers("/publics/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/publics/**").hasRole("USER") // no effect
.anyRequest().authenticated();
}
WebSecurity in the above example lets Spring ignore /resources/**and /publics/**. Therefore the .antMatchers("/publics/**").hasRole("USER")in HttpSecurity is unconsidered.
上面示例中的 WebSecurity 让 Spring 忽略/resources/**和/publics/**。因此.antMatchers("/publics/**").hasRole("USER")在 HttpSecurity 中是不考虑的。
This will omit the request pattern from the security filter chain entirely. Note that anything matching this path will then have no authentication or authorization services applied and will be freely accessible.
这将完全从安全过滤器链中省略请求模式。请注意,与此路径匹配的任何内容都将不会应用任何身份验证或授权服务,并且可以自由访问。
Example 2
示例 2
Patterns are always evaluated in order. The below matching is invalid because the first matches every request and will never apply the second match:
模式总是按顺序评估。以下匹配无效,因为第一个匹配每个请求并且永远不会应用第二个匹配:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**").hasRole("USER")
.antMatchers("/admin/**").hasRole("ADMIN"):
}
回答by PaulRyan17
Well in the code you shared, if you had your static files i.e. CSS/JS etc in a folder called static then all your static resources will be added to the page whereas if you left out
在您共享的代码中,如果您在名为 static 的文件夹中有静态文件,即 CSS/JS 等,那么您所有的静态资源都将添加到页面中,而如果您遗漏了
web.ignoring()
.antMatchers("/static/**");
none of your static resources will be loaded.
您的任何静态资源都不会被加载。
Spring Security is extremely powerful, Spring has great documentation so you should just go read about it fully appreciate/understand it.
Spring Security 非常强大,Spring 有很好的文档,所以你应该去阅读它,充分欣赏/理解它。
Here is a link
这是一个 链接
