一、

对特定的请求拦截

For example, consider the requests served by the Spittr application. Certainly, the
home page is public and doesn’t need to be secured. Likewise, since all Spittle
objects are essentially public, the pages that display Spittle s don’t require security.
Requests that create a Spittle , however, should only be performed by an authenti-
cated user. Similarly, although user profile pages are public and don’t require authen-

tication, if you were to handle a request for /spitters/me to display the current user’s
profile, then authentication is required to know whose profile to show.
The key to fine-tuning security for each request is to override the configure
(HttpSecurity) method. The following code snippet shows how you might override
configure(HttpSecurity) to selectively apply security to different URL paths.

 @Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/spitters/me").authenticated()
.antMatchers(HttpMethod.POST, "/spittles").authenticated()
.anyRequest().permitAll();
}

The HttpSecurity object given to configure() can be used to configure several
aspects of HTTP security. Here you’re calling authorizeRequests() and then calling
methods on the object it returns to indicate that you want to configure request-level
security details. The first call to antMatchers() specifies that requests whose path is
/spitters/me should be authenticated. The second call to antMatchers() is even
more specific, saying that any HTTP POST request to /spittles must be authenticated.
Finally, a call to anyRequests() says that all other requests should be permitted, not
requiring authentication or any authorities.

(1)用通配符

.antMatchers("/spitters/**").authenticated();

(2)写多个路径

.antMatchers("/spitters/**", "/spittles/mine").authenticated();

(3)Whereas the antMatchers() method works with paths that may contain Ant-style wild-

cards, there’s also a regexMatchers() method that accepts regular expressions to
define request paths. For example, the following snippet uses a regular expression
that’s equivalent to /spitters/** (Ant-style):

.regexMatchers("/spitters/.*").authenticated();

(4)全部可配置的方法

(1)you could change the previous configure() method to require that the user not only be authenticated, but also have ROLE_SPITTER authority:

@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/spitters/me").hasAuthority("ROLE_SPITTER")
.antMatchers(HttpMethod.POST, "/spittles")
.hasAuthority("ROLE_SPITTER")
.anyRequest().permitAll();
}

@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/spitter/me").hasRole("SPITTER")
.antMatchers(HttpMethod.POST, "/spittles").hasRole("SPITTER")
.anyRequest().permitAll();
}

You can chain as many calls to antMatchers() , regexMatchers() , and anyRequest()
as you need to fully establish the security rules around your web application. You
should know, however, that they’ll be applied in the order given. For that reason, it’s
important to configure the most specific request path patterns first and the least spe-
cific ones (such as anyRequest() ) last. If not, then the least specific paths will trump
the more specific ones.

SPRING IN ACTION 第4版笔记-第九章Securing web applications-009-拦截请求()的更多相关文章

  1. SPRING IN ACTION 第4版笔记-第九章Securing web applications-011-把敏感信息请求转为https(requiresChannel())

    1.把包含敏感信息的请求转为https请求,则较为安全,但如何只把有需要安全的请求转为https,而不是不加分辩就把所有请求都转为https呢?可以用requiresChannel() @Overri ...

  2. SPRING IN ACTION 第4版笔记-第九章Securing web applications-001-SpringSecurity简介(DelegatingFilterProxy、AbstractSecurityWebApplicationInitializer、WebSecurityConfigurerAdapter、@EnableWebSecurity、@EnableWebMvcS)

    一.SpringSecurity的模块 At the least, you’ll want to include the Core and Configuration modules in your ...

  3. SPRING IN ACTION 第4版笔记-第九章Securing web applications-010-拦截请求

    一. What if you wanted to restrict access to certain roles only on Tuesday? Using the access() method ...

  4. SPRING IN ACTION 第4版笔记-第九章Securing web applications-008-使用非关系型数据库时如何验证用户(自定义UserService)

    一. 1.定义接口 Suppose that you need to authenticate against users in a non-relational database suchas Mo ...

  5. SPRING IN ACTION 第4版笔记-第九章Securing web applications-007-设置LDAP server比较密码(contextSource、root()、ldif()、)

    一.LDAP server在哪 By default, Spring Security’s LDAP authentication assumes that the LDAP server is li ...

  6. SPRING IN ACTION 第4版笔记-第九章Securing web applications-004-对密码加密passwordEncoder

    一. 1.Focusing on the authentication query, you can see that user passwords are expected to be stored ...

  7. SPRING IN ACTION 第4版笔记-第九章Securing web applications-003-把用户数据存在数据库

    一. 1.It’s quite common for user data to be stored in a relational database, accessed via JDBC . To c ...

  8. SPRING IN ACTION 第4版笔记-第九章Securing web applications-002-把用户数据存在memory里(AuthenticationManagerBuilder、 UserDetailsManagerConfigurer.UserDetailsBuilder)

    Spring Security is extremely flexible and is capable of authenticating users against virtually any d ...

  9. SPRING IN ACTION 第4版笔记-第九章Securing web applications-006-用LDAP比较密码(passwordCompare()、passwordAttribute("passcode")、passwordEncoder(new Md5PasswordEncoder()))

    一. The default strategy for authenticating against LDAP is to perform a bind operation,authenticatin ...

随机推荐

  1. (转)实战Memcached缓存系统(2)Memcached Java API基础之MemcachedClient

    1. 构造函数 public MemcachedClient(InetSocketAddress[] ia) throws IOException; public MemcachedClient(Li ...

  2. Poj 2586 / OpenJudge 2586 Y2K Accounting Bug

    1.Link: http://poj.org/problem?id=2586 2.Content: Y2K Accounting Bug Time Limit: 1000MS   Memory Lim ...

  3. python 自动化之路 day 10 协程、异步IO、队列、缓存

    本节内容 Gevent协程 Select\Poll\Epoll异步IO与事件驱动 RabbitMQ队列 Redis\Memcached缓存 Paramiko SSH Twsited网络框架 引子 到目 ...

  4. jobs

    fg.bg.jobs.&.ctrl + z都是跟系统任务有关的,虽然现在基本上不怎么需要用到这些命令,但学会了也是很实用的一.& 最经常被用到这个用在一个命令的最后,可以把这个命令放到 ...

  5. nginx gzip filter模块分析

    API:http://refspecs.linuxbase.org/LSB_3.1.1/LSB-Core-generic/LSB-Core-generic/zlib-deflateinit2.html ...

  6. oracle pl/sql的操作大全

    --删除该用户及下面的所有关联 DROP USER fspdrs CASCADE; --创建一个用户 create user fspdrs identified " default tabl ...

  7. Linux文件目录结构说明

  8. Ecshop与Jquery冲突的完美解决方案

    ecshop把AJAX事件和JSON解析的模块放在common/transport.js之中,可以说它也有自己封装的一套工具,这其实是很正常的.   但恰恰的,在封装JSON各种方法的同时对objec ...

  9. phpcmsv9全站搜索,不限模型

    简单修改一下v9默认的搜索功能,可以不按模型搜索全站内容 下面是被修改后的search模块中的index.php文件 <?php defined('IN_PHPCMS') or exit('No ...

  10. Linux学习系列之Linux入门(三)gcc学习

    GCC(GNU Compiler Collection,GNU编译器套装),是一套由GNU开发的编程语言编译器.它是一套以GPL及LGPL许可证所发布的自由软件,也是GNU计划的关键部分,亦是自由的类 ...