时间戳

首页 > 解决方案 > 带有 HttpMethod.POST 的 Spring Security antMatcher 不起作用

java - 带有 HttpMethod.POST 的 Spring Security antMatcher 不起作用

问题描述

编辑 :

谢谢托马斯安道夫!当我在我在 IntelliJ 上启动的 springboot 中使用嵌入的 tomcat 以及带有 Visual Studio 代码的角度部分时,它可以工作。但是当我在我的树莓派上用提供的 tomcat 发布战争时它不起作用......

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests(authorizeRequests ->
                        authorizeRequests.antMatchers(HttpMethod.POST, "/rest/gender").permitAll()
                        .antMatchers(HttpMethod.POST, "/rest/login").permitAll()
                        .antMatchers(HttpMethod.POST, "/rest/names").permitAll()
                        .anyRequest().authenticated()
                )
                .httpBasic()
                .authenticationEntryPoint(authEntryPoint)
                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

该项目的角度部分发表在tomcat/webapps/ROOT.
战争发表于tomcat/webapps/baby-project-api.

tomcat/conf/Catalina/localhost/rewrite.config这样使用:

RewriteRule ^/rest/(.+)$ /baby-project-api/rest/$1

原始问题

我尝试在具有弹簧启动安全性的 api 上使用基本身份验证,并且我需要一些不安全的路径。

POST /rest/login不受配置保护,受
GET /rest/gender保护,这就是我想要的

知道为什么 POST /rest/gender 仍然是安全的吗?

有我的 WebSecurityConfig :

@Configuration
@EnableAutoConfiguration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationEntryPoint authEntryPoint;

    @Autowired
    private IParentRepository parentRepository;

    @Bean
    public BCryptPasswordEncoder bCryptPasswordEncoder() {
        BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
        return bCryptPasswordEncoder;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                .antMatchers(HttpMethod.POST, "/rest/gender").permitAll()
                .antMatchers(HttpMethod.POST, "/rest/login").permitAll()
                .antMatchers(HttpMethod.POST, "/rest/names").permitAll()
                .anyRequest().authenticated()
                .and().httpBasic()
                .authenticationEntryPoint(authEntryPoint);
                //.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

        final List<Parent> parents = parentRepository.findAll();
        InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> mngConfig = auth.inMemoryAuthentication();

        for (Parent parent : parents) {
            mngConfig.withUser(User.withUsername(parent.getUsername()).password(parent.getPassword()).roles("ADMIN").build());
        }

    }
}```

POST /rest/login is not secured with the config,  
GET /rest/gender is secured and that's what i want

Any idea why POST /rest/gender is still secured ?

标签: javaspring-bootspring-security

解决方案

您能否尝试按照他们在文档中的实际操作方式进行操作,看看它是否有效。

protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
            .authorizeRequests(authorizeRequests -> 
                authorizeRequests.antMatchers(HttpMethod.POST, "/rest/gender").permitAll();
                authorizeRequests.antMatchers(HttpMethod.POST, "/rest/login").permitAll();
                authorizeRequests.antMatchers(HttpMethod.POST, "/rest/names").permitAll();
                authorizeRequests.anyRequest().authenticated();
            )
            .httpBasic()
            .authenticationEntryPoint(authEntryPoint);
}

推荐阅读