Java Spring的`requestMatchers`允许在已验证的路径内设置路径。

huangapple go评论67阅读模式
英文:

Java Spring requestMatchers permit paths within authenticated path

问题

我试图保护所有位于/admin/**路径下的请求,但允许/admin/auth/**路径下的登录请求。

我尝试过以下代码,但不起作用:

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
            .authorizeHttpRequests((requests) -> requests
                    .requestMatchers("/admin/**").authenticated()
                    .requestMatchers("/admin/auth/**").permitAll()
                    .anyRequest().permitAll()
            );
    // 暂时禁用 CSRF
    http.csrf(c -> c.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).ignoringRequestMatchers("admin/**"));
    http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
    return http.build();
}

我应该如何更改它?

英文:

I am trying to protect all paths at /admin/** but allow /admin/auth/** for the login.

I have tried this but does not work;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests((requests) -> requests
                        .requestMatchers("/admin/**").authenticated()
                        .requestMatchers("/admin/auth/**").permitAll()
                        .anyRequest().permitAll()
                );
        // Disable csrf for now
        http.csrf(c -> c.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).ignoringRequestMatchers("admin/**"));
        http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
        return http.build();
    }

How can I change it?

答案1

得分: 0

精细的请求模式应该首先被应用。

如果它在其上方,那么首先过滤掉更广泛的范围模式。

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
            .authorizeHttpRequests((requests) -> requests
                    .requestMatchers("/admin/auth/**").permitAll()
                    .requestMatchers("/admin/**").authenticated()
                    .anyRequest().permitAll()
            );
    // 暂时禁用 csrf
    http.csrf(c -> c.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).ignoringRequestMatchers("admin/**"));
    http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
    return http.build();
}
英文:

The fine-grained request pattern should be applied first.

with the broader scope pattern filtered out first if it's above it

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
            .authorizeHttpRequests((requests) -> requests
                    .requestMatchers("/admin/auth/**").permitAll()
                    .requestMatchers("/admin/**").authenticated()
                    .anyRequest().permitAll()
            );
    // Disable csrf for now
    http.csrf(c -> c.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).ignoringRequestMatchers("admin/**"));
    http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
    return http.build();
}

答案2

得分: 0

你是否尝试使用authorizeRequests方法?
匹配模式的顺序很重要。首先,您应该指定更具体的方式(/admin/auth/),并允许使用permitAll()来访问它。然后,选择更一般的模式(/admin/),并要求使用authenticated()进行身份验证。

public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
    .authorizeRequests((requests) -> requests
        .antMatchers("/admin/auth/**").permitAll()
        .antMatchers("/admin/**").authenticated()
        .anyRequest().permitAll()
    )
    .csrf(c -> c
        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
        .ignoringAntMatchers("/admin/**")
    )
    .addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);

return http.build();
英文:

Did you try using the authorizeRequests method?
The order of matching patterns is essential. First, you should specify the more specific way (/admin/auth/) and allow access to it with permitAll(). Then, select the more general pattern (/admin/) and require authentication for it with authenticated().

public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
    .authorizeRequests((requests) -> requests
        .antMatchers("/admin/auth/**").permitAll()
        .antMatchers("/admin/**").authenticated()
        .anyRequest().permitAll()
    )
    .csrf(c -> c
        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
        .ignoringAntMatchers("/admin/**")
    )
    .addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);

return http.build();

huangapple
  • 本文由 发表于 2023年6月25日 19:50:11
  • 转载请务必保留本文链接:https://go.coder-hub.com/76550250.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定