我必須將方法發佈爲休息服務。 我想在一種方法上應用基本授權安全性,以免說「gpnfeedback」。 我不想通過申請任何授權sendgpn 我如何配置SecurityConfig.java?我用以下CONFIGRATION但callling http://localhost:7071/gpns/rest/sendgpnSpring Boot的基於方法授權
控制器的時候,
@Controller
@RequestMapping("/gpns/rest/")
public class GpnsRestController {
@CrossOrigin
@RequestMapping(value = "/sendgpn", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE, consumes = { MediaType.MULTIPART_FORM_DATA_VALUE, MediaType.APPLICATION_JSON_VALUE })
public @ResponseBody
GpnsResponse sendgpn(@Valid @RequestPart(value = "data", required = true) SendGpnMessageMsisdnListReq sendGpnMessageMsisdnListReq, @Valid @ModelAttribute(value = "photo") MultipartFile photo, @Valid @ModelAttribute(value = "video") MultipartFile video,
@Valid @ModelAttribute(value = "videothumbnail") MultipartFile videothumbnail) {
}
@RequestMapping(method = RequestMethod.POST, value = "/gpnfeedback", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
public @ResponseBody
GpnsResponse gpnfeedback(HttpServletRequest http, @Valid @RequestBody GpnFeedbackReq gpnFeedbackReq) {
}
}
安全
@Configuration
@EnableWebSecurity(debug = true)
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
public static final String ROLE_CLIENT = "CLIENT_USER";
@Autowired
private DatabaseAuthenticationProvider databaseAuthenticationProvider;
@Autowired
private GpnBasicAuthenticationEntryPoint basicAuthenticationEntryPoint;
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/soap/lb/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.httpBasic().authenticationEntryPoint(this.basicAuthenticationEntryPoint);
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// @formatter:off
http.authorizeRequests()
.antMatchers("/gpns/rest/gpnfeedback/**").hasRole(ROLE_CLIENT)
.anyRequest().authenticated().and().httpBasic();
// @formatter:on
}
@Override
protected void configure(AuthenticationManagerBuilder builder) throws Exception {
//will be invoked in given order
builder.authenticationProvider(this.databaseAuthenticationProvider);
}
}
UPDATE-1仍然有authorzation錯誤: 我已經改變了規則與f正在一個。 Althout我可以給http://localhost:7071/gpns/rest/sendgpn方法,無需任何授權,http://localhost:7071/gpns/rest/gpnfeedback不受databaseAuthenticationProvider hanled
http.authorizeRequests()
.antMatchers("/gpns/rest/gpnfeedback/**").hasRole(ROLE_CLIENT)
.antMatchers("/gpns/rest/sendgpn/**").permitAll()
.anyRequest().authenticated().and().httpBasic();
它的工作部分,我的意思是允許sendgpn,但gpnfeddback不由this.databaseAuthenticationProvider處理。 –
你怎麼知道?你可以用你的細節更新這個問題,因爲這是另一個問題 –
正如你所看到的,我只添加了.antMatchers(「/ gpns/rest/sendgpn/**」)。permitAll()根據你的建議,它允許在沒有授權的情況下調用sendgpn方法,但爲什麼gpnfeedback方法不由databaseAuthenticationProvider處理? –