我们有基于Spring Boot的Application,我们希望为匿名用户提供默认/映射访问权限。
我们添加了默认的index.html(基本页面)。
在控制器中
@RequestMapping("/")
public ModelAndView defaultViewManager(HttpServletRequest request) {
logger.info("Default mapping.");
ModelAndView modelAndView = new ModelAndView("index");
return modelAndView;
}
安全配置
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private static final String SSO_HEADER = "AUTH_USER";
public static final String ADMIN = "ROLE_ADMIN";
public static final String USER = "ROLE_USER";
public static final String ANONYMOUS = "ROLE_ANONYMOUS";
@Autowired
private PreAuthUserDetailsService userDetailsService;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(preAuthenticatedAuthProvider());
}
@Bean
public PreAuthenticatedAuthenticationProvider preAuthenticatedAuthProvider() {
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper =
new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> (userDetailsService);
PreAuthenticatedAuthenticationProvider authProvider = new PreAuthenticatedAuthenticationProvider();
authProvider.setPreAuthenticatedUserDetailsService(wrapper);
return authProvider;
}
@Bean
public RequestHeaderAuthenticationFilter headerAuthFilter() throws Exception {
RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter();
filter.setPrincipalRequestHeader(SSO_HEADER);
filter.setAuthenticationManager(authenticationManagerBean());
return filter;
}
上面提到的代码可能不是必需的,但是对于背景,我们使用的是PreAuthenticatedAuthentication Provider
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.addFilter(headerAuthFilter())
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/admin/**").hasAuthority(ADMIN)
.antMatchers("/**").hasAuthority(USER)
.and()
.logout()
.deleteCookies("remove")
.invalidateHttpSession(true)
.logoutUrl("/logout")
.logoutSuccessUrl("/login?logout")
.and()
.csrf().disable()
.headers().frameOptions().disable();
// @formatter:on
}
}
仅供参考,我也添加了拦截器。拦截器似乎已触发,即使具有排除模式
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(wikiRequestHandlerInterceptor()).
excludePathPatterns("/").addPathPatterns("/**");
}
在上面的
SecurityConfig代码中。我试图允许使用.antMatchers("/").permitAll(),并添加了余下的权限,表示所有/**和/admin/**。但这是行不通的。请帮助提及正确的antMatchers,以仅提供对默认/ mapping的匿名访问。提前致谢。
最佳答案
看起来antMatchers可能需要重新排列以修复优先级。要允许"/"处的“所有请求”,请首先添加anyRequest().permitAll(),然后添加受限制的目录,最后添加全部捕获的/**,如下所示:
http.addFilter(headerAuthFilter())
.authorizeRequests()
.anyRequest().permitAll()
.antMatchers("/admin/**").hasAuthority(ADMIN)
.antMatchers("/**").hasAuthority(USER)
可以将视图控制器设置为直接映射到模板目录中的indexroot.html(假设ThymeLeaf):
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("indexroot");
}
我相信拦截器仍然可以用任何顺序简单地用“ /”排除:
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(wikiRequestHandlerInterceptor())
.addPathPatterns("/admin/**")
.excludePathPatterns("/");
}