spring安全antmatcher不工作

z9smfwbn  于 2021-06-30  发布在  Java
关注(0)|答案(2)|浏览(396)

编辑:
托马斯·安道夫!当我在springboot的spring中使用embended tomcat时,它就工作了,我在intellij上启动了spring,并用visualstudio代码编写了angular部分。但是当我在我的树莓皮上用tomcat发布战争的时候它就不起作用了。。。

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests(authorizeRequests ->
                        authorizeRequests.antMatchers(HttpMethod.POST, "/rest/gender").permitAll()
                        .antMatchers(HttpMethod.POST, "/rest/login").permitAll()
                        .antMatchers(HttpMethod.POST, "/rest/names").permitAll()
                        .anyRequest().authenticated()
                )
                .httpBasic()
                .authenticationEntryPoint(authEntryPoint)
                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

项目的Angular 部分发布在 tomcat/webapps/ROOT .
这场战争发表在 tomcat/webapps/baby-project-api .
我用 tomcat/conf/Catalina/localhost/rewrite.config 这样地:

RewriteRule ^/rest/(.+)$ /baby-project-api/rest/$1

原始问题
我尝试在具有spring引导安全性的api上使用基本身份验证,并且需要一些不安全的路径。 POST /rest/login 不受配置保护, GET /rest/gender 是安全的,这就是我想要的
知道为什么岗位/休息/性别仍然安全吗?
这是我的网站安全配置:

@Configuration
@EnableAutoConfiguration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationEntryPoint authEntryPoint;

    @Autowired
    private IParentRepository parentRepository;

    @Bean
    public BCryptPasswordEncoder bCryptPasswordEncoder() {
        BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
        return bCryptPasswordEncoder;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                .antMatchers(HttpMethod.POST, "/rest/gender").permitAll()
                .antMatchers(HttpMethod.POST, "/rest/login").permitAll()
                .antMatchers(HttpMethod.POST, "/rest/names").permitAll()
                .anyRequest().authenticated()
                .and().httpBasic()
                .authenticationEntryPoint(authEntryPoint);
                //.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

        final List<Parent> parents = parentRepository.findAll();
        InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> mngConfig = auth.inMemoryAuthentication();

        for (Parent parent : parents) {
            mngConfig.withUser(User.withUsername(parent.getUsername()).password(parent.getPassword()).roles("ADMIN").build());
        }

    }
}```

POST /rest/login is not secured with the config,  
GET /rest/gender is secured and that's what i want

Any idea why POST /rest/gender is still secured ?
mm5n2pyu

mm5n2pyu1#

你能不能试着用他们在文档中实际做的方式来做,看看是否管用。

protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
            .authorizeRequests(authorizeRequests -> 
                authorizeRequests.antMatchers(HttpMethod.POST, "/rest/gender").permitAll();
                authorizeRequests.antMatchers(HttpMethod.POST, "/rest/login").permitAll();
                authorizeRequests.antMatchers(HttpMethod.POST, "/rest/names").permitAll();
                authorizeRequests.anyRequest().authenticated();
            )
            .httpBasic()
            .authenticationEntryPoint(authEntryPoint);
}
ckocjqey

ckocjqey2#

毕竟,我没有找到一个伟大的解决办法,通过这种方式。
我打开了所有api并用预授权限制了某些部分:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
            .authorizeRequests()
            .anyRequest().permitAll()
            .and().httpBasic()
            .authenticationEntryPoint(authEntryPoint)
            .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}

在控制器上:

@RestController
@PreAuthorize("isAuthenticated()")
@RequestMapping("/rest/gender")
public class GenderController {

[...]
// protected by the @ on the class
@GetMapping(value = "")
    public List<Gender> listerGender(final SecurityContextHolderAwareRequestWrapper request){
        return genderService.listerGender(request);
    }

 @PreAuthorize("permitAll()")
    @PostMapping(value = "", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
    public ResponseEntity<Void> creerGender(@Valid @RequestBody Gender gender){
        return this.genderService.creerGender(gender);
    }

我想我们可以把它弄干净,但至少它能起作用

相关问题