何时使用 Spring Security 的 antMatcher()?

本文介绍了何时使用 Spring Security 的 antMatcher()?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我们什么时候使用antMatcher() vs antMatchers()?

When do we use antMatcher() vs antMatchers()?

例如:

http
   .antMatcher("/high_level_url_A/**")
   .authorizeRequests()
      .antMatchers("/high_level_url_A/sub_level_1").hasRole('USER')
      .antMatchers("/high_level_url_A/sub_level_2").hasRole('USER2')
      .somethingElse()
      .anyRequest().authenticated()
      .and()
   .antMatcher("/high_level_url_B/**")
   .authorizeRequests()
      .antMatchers("/high_level_url_B/sub_level_1").permitAll()
      .antMatchers("/high_level_url_B/sub_level_2").hasRole('USER3')
      .somethingElse()
      .anyRequest().authenticated()
      .and()
   ...

我期望的是，

任何与 /high_level_url_A/** 匹配的请求都应该被认证 + /high_level_url_A/sub_level_1 仅适用于 USER 和 /high_level_url_A/sub_level_2对于 USER2
任何与 /high_level_url_B/** 匹配的请求都应该被认证 + /high_level_url_B/sub_level_1 用于公共访问和 /high_level_url_A/sub_level_2对于 USER3.
我不关心的任何其他模式 - 但应该公开吗?

Any request matches to /high_level_url_A/** should be authenticated + /high_level_url_A/sub_level_1 only for USER and /high_level_url_A/sub_level_2 only for USER2
Any request matches to /high_level_url_B/** should be authenticated + /high_level_url_B/sub_level_1 for public access and /high_level_url_A/sub_level_2 only for USER3.
Any other pattern I don't care - But should be public ?

最近我看到最新的例子不包括 antMatcher().这是为什么?不再需要 antMatcher() 吗?

I have seen latest examples do not include antMatcher() these days. Why is that? Is antMatcher() no longer required?

推荐答案

您需要 antMatcher 用于多个 HttpSecurity，见 Spring 安全参考:

5.7 多重 HttpSecurity

我们可以配置多个 HttpSecurity 实例，就像我们可以有多个块一样.关键是多次扩展WebSecurityConfigurationAdapter.例如，以下是对以 /api/ 开头的 URL 进行不同配置的示例.

We can configure multiple HttpSecurity instances just as we can have multiple <http> blocks. The key is to extend the WebSecurityConfigurationAdapter multiple times. For example, the following is an example of having a different configuration for URL’s that start with /api/.

@EnableWebSecurity
public class MultiHttpSecurityConfig {
  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) { 1
      auth
          .inMemoryAuthentication()
              .withUser("user").password("password").roles("USER").and()
              .withUser("admin").password("password").roles("USER", "ADMIN");
  }

  @Configuration
  @Order(1)                                                        2
  public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
      protected void configure(HttpSecurity http) throws Exception {
          http
              .antMatcher("/api/**")                               3
              .authorizeRequests()
                  .anyRequest().hasRole("ADMIN")
                  .and()
              .httpBasic();
      }
  }    

  @Configuration                                                   4
  public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

      @Override
      protected void configure(HttpSecurity http) throws Exception {
          http
              .authorizeRequests()
                  .anyRequest().authenticated()
                  .and()
              .formLogin();
      }
  }
}

1 正常配置身份验证

2 创建一个包含 @Order 的 WebSecurityConfigurerAdapter 实例来指定应该首先考虑哪个 WebSecurityConfigurerAdapter.

2 Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.

3 http.antMatcher 声明此 HttpSecurity 仅适用于以 /api/

3 The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/

4 创建 WebSecurityConfigurerAdapter 的另一个实例.如果 URL 不以 /api/ 开头，则将使用此配置.此配置在 ApiWebSecurityConfigurationAdapter 之后被考虑，因为它在 1 之后有一个 @Order 值(没有 @Order 默认为 last).

4 Create another instance of WebSecurityConfigurerAdapter. If the URL does not start with /api/ this configuration will be used. This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).

在您的情况下，您不需要 antMatcher，因为您只有一种配置.您修改后的代码:

In your case you need no antMatcher, because you have only one configuration. Your modified code:

http
    .authorizeRequests()
        .antMatchers("/high_level_url_A/sub_level_1").hasRole('USER')
        .antMatchers("/high_level_url_A/sub_level_2").hasRole('USER2')
        .somethingElse() // for /high_level_url_A/**
        .antMatchers("/high_level_url_A/**").authenticated()
        .antMatchers("/high_level_url_B/sub_level_1").permitAll()
        .antMatchers("/high_level_url_B/sub_level_2").hasRole('USER3')
        .somethingElse() // for /high_level_url_B/**
        .antMatchers("/high_level_url_B/**").authenticated()
        .anyRequest().permitAll()

这篇关于何时使用 Spring Security 的 antMatcher()?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！