英文:
Java Spring requestMatchers permit paths within authenticated path
问题
我试图保护所有位于/admin/**路径下的请求,但允许/admin/auth/**路径下的登录请求。
我尝试过以下代码,但不起作用:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/admin/**").authenticated()
.requestMatchers("/admin/auth/**").permitAll()
.anyRequest().permitAll()
);
// 暂时禁用 CSRF
http.csrf(c -> c.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).ignoringRequestMatchers("admin/**"));
http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
我应该如何更改它?
英文:
I am trying to protect all paths at /admin/** but allow /admin/auth/** for the login.
I have tried this but does not work;
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/admin/**").authenticated()
.requestMatchers("/admin/auth/**").permitAll()
.anyRequest().permitAll()
);
// Disable csrf for now
http.csrf(c -> c.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).ignoringRequestMatchers("admin/**"));
http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
How can I change it?
答案1
得分: 0
精细的请求模式应该首先被应用。
如果它在其上方,那么首先过滤掉更广泛的范围模式。
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/admin/auth/**").permitAll()
.requestMatchers("/admin/**").authenticated()
.anyRequest().permitAll()
);
// 暂时禁用 csrf
http.csrf(c -> c.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).ignoringRequestMatchers("admin/**"));
http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
英文:
The fine-grained request pattern should be applied first.
with the broader scope pattern filtered out first if it's above it
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((requests) -> requests
.requestMatchers("/admin/auth/**").permitAll()
.requestMatchers("/admin/**").authenticated()
.anyRequest().permitAll()
);
// Disable csrf for now
http.csrf(c -> c.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).ignoringRequestMatchers("admin/**"));
http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
答案2
得分: 0
你是否尝试使用authorizeRequests方法?
匹配模式的顺序很重要。首先,您应该指定更具体的方式(/admin/auth/),并允许使用permitAll()来访问它。然后,选择更一般的模式(/admin/),并要求使用authenticated()进行身份验证。
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeRequests((requests) -> requests
.antMatchers("/admin/auth/**").permitAll()
.antMatchers("/admin/**").authenticated()
.anyRequest().permitAll()
)
.csrf(c -> c
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringAntMatchers("/admin/**")
)
.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
英文:
Did you try using the authorizeRequests method?
The order of matching patterns is essential. First, you should specify the more specific way (/admin/auth/) and allow access to it with permitAll(). Then, select the more general pattern (/admin/) and require authentication for it with authenticated().
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeRequests((requests) -> requests
.antMatchers("/admin/auth/**").permitAll()
.antMatchers("/admin/**").authenticated()
.anyRequest().permitAll()
)
.csrf(c -> c
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringAntMatchers("/admin/**")
)
.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论