我想知道是否有可能爲所有用戶提供對特定URL的訪問權? 我休息控制器:Spring Security,授權訪問,拒絕特定的URL
@RestController
@RequestMapping("/travel/")
public class TravelController {
@RequestMapping(value = { "/" }, method = { RequestMethod.POST })
public String newTravel(HttpEntity<String> httpEntity)
{
...
return null;
}
@RequestMapping(value = { "/follow/{travelId}/{email}/" }, method = { RequestMethod.POST })
public ResponseEntity<String> followTravel(@PathVariable int travelId,@PathVariable String email, HttpEntity<String> httpEntity)
{
...
}
我想限制對所有POST身份驗證的用戶,但授權followTravel()
給所有用戶。
我的安全配置是:
@Override
protected void configure(HttpSecurity http) throws Exception
{
http.csrf() //
.disable() //
.authorizeRequests() //
.antMatchers(HttpMethod.POST, "/travel/follow/**") // permit all POST to authenticated
.anonymous() //
.antMatchers(HttpMethod.POST, "/**") // permit all POST to authenticated
.authenticated() //
.antMatchers(HttpMethod.PUT, "/**") // permit all PUT to authenticated
.authenticated() //
.antMatchers(HttpMethod.DELETE, "/**") // permit all DELETE to authenticated
.authenticated() //
.anyRequest() //
.permitAll() //
.and() //
.httpBasic() //
.and() //
.sessionManagement() //
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
// .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
我試過設置
.antMatchers(HttpMethod.POST, "/travel/follow/**") // permit all POST to authenticated
.anonymous() //
之前或之後
.antMatchers(HttpMethod.POST, "/**") // permit all POST to authenticated
.authenticated() //
,但沒有成功。我通常在SO中找到答案,但沒有爲這個答案。
感謝
我的不好,當我嘗試它時,我被連接了。所以它在連接時工作,而不是在匿名時工作。 – Avados