Spring Security Java Config AntMatcher为什么不阻止此URL?
作者:互联网
使用Spring Boot和Spring Security,我配置了一个超级简单的应用程序,并基于URL添加了安全性,但是并不尊重它.例如,如果我以“侦查员”身份登录并点击/ api / leaders之类的管理URL,我仍然可以看到它.
我已经尝试了URL的许多排列,甚至尝试了anyRequest().denyAll(),并且侦察用户仍然可以访问它.
@Configuration
@EnableAutoConfiguration
@ComponentScan(basePackages = {"com.ssoward.scouts"})
public class MainConfiguration {
public static void main(String[] args) throws Exception {
SpringApplication.run(MainConfiguration.class, args);
}
//security
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
static class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return authenticationManager();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/api/leaders*").hasRole("ADMIN") //url level security
.antMatchers("/api/scouts*").hasRole("USER"); //url level security
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("leader").password("password").roles("USER", "ADMIN").and()
.withUser("scout").password("password").roles("USER");
}
}
}
整个项目在Github上:https://github.com/ssoward/scouts
解决方法:
Spring Actuator会自动配置Spring Security,但是当我添加上面提到的配置时,它并未删除Spring Actuator添加的配置.
解决方案:通过将以下内容添加到您的应用程序属性文件中来禁用Spring Actuator添加的安全性:security.basic.enabled = false
标签:spring-security,spring,java,spring-mvc 来源: https://codeday.me/bug/20191122/2058246.html