URL和方法的java spring安全设置
我有一个关于春季安全的问题。我有几个页面(A、B和C)和4个http方法来操作它们:GET、PUT、POST和DELETE。对于每个组合A+GET,我希望有一个特殊的权限,格式为resource-Page-Method
。我如何实现它?下面的代码不起作用:如果用户没有任何权限,它允许所有用户事件的所有内容
@Override
protected void configure(HttpSecurity http) throws Exception {
RequestHeaderAuthenticationFilter siteMinderFilter = new RequestHeaderAuthenticationFilter();
siteMinderFilter.setPrincipalRequestHeader("SM_USER");
siteMinderFilter.setAuthenticationManager(authenticationManager());
http.addFilter(siteMinderFilter);
List<HttpMethod> methods = new ArrayList<HttpMethod>();
methods.add(HttpMethod.GET);
methods.add(HttpMethod.POST);
methods.add(HttpMethod.PUT);
methods.add(HttpMethod.DELETE);
List<String> resources = new ArrayList<String>();
resources.add("A");
resources.add("B");
resources.add("C");
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = http.authorizeRequests();
for (HttpMethod method:methods){
for (String resource: resources){
String auth = "resource-"+resource+"-"+method.name();
registry.antMatchers(method, "**/"+resource+"/**")
.hasAuthority(auth);
}
}
http = registry.and();
http.formLogin();
}
# 1 楼答案
过滤器不起作用的唯一原因是matcher patten开始时缺少斜杠
/
:除此之外
我应该写这个