SPRING IN ACTION 第4版笔记-第九章Securing web applications-009-拦截请求()

一、

对特定的请求拦截

For example, consider the requests served by the Spittr application. Certainly, the
home page is public and doesn’t need to be secured. Likewise, since all Spittle
objects are essentially public, the pages that display Spittle s don’t require security.
Requests that create a Spittle , however, should only be performed by an authenti-
cated user. Similarly, although user profile pages are public and don’t require authen-

tication, if you were to handle a request for /spitters/me to display the current user’s
profile, then authentication is required to know whose profile to show.
The key to fine-tuning security for each request is to override the configure
(HttpSecurity) method. The following code snippet shows how you might override
configure(HttpSecurity) to selectively apply security to different URL paths.

 @Override
 protected void configure(HttpSecurity http) throws Exception {
     http
         .authorizeRequests()
         .antMatchers("/spitters/me").authenticated()
         .antMatchers(HttpMethod.POST, "/spittles").authenticated()
         .anyRequest().permitAll();
 }

The HttpSecurity object given to configure() can be used to configure several
aspects of HTTP security. Here you’re calling authorizeRequests() and then calling
methods on the object it returns to indicate that you want to configure request-level
security details. The first call to antMatchers() specifies that requests whose path is
/spitters/me should be authenticated. The second call to antMatchers() is even
more specific, saying that any HTTP POST request to /spittles must be authenticated.
Finally, a call to anyRequests() says that all other requests should be permitted, not
requiring authentication or any authorities.

(1)用通配符

.antMatchers("/spitters/**").authenticated();

(2)写多个路径

.antMatchers("/spitters/**", "/spittles/mine").authenticated();

(3)Whereas the antMatchers() method works with paths that may contain Ant-style wild-

cards, there’s also a regexMatchers() method that accepts regular expressions to
define request paths. For example, the following snippet uses a regular expression
that’s equivalent to /spitters/** (Ant-style):

.regexMatchers("/spitters/.*").authenticated();

(4)全部可配置的方法

(1)you could change the previous configure() method to require that the user not only be authenticated, but also have ROLE_SPITTER authority:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers("/spitters/me").hasAuthority("ROLE_SPITTER")
        .antMatchers(HttpMethod.POST, "/spittles")
        .hasAuthority("ROLE_SPITTER")
        .anyRequest().permitAll();
}

或

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers("/spitter/me").hasRole("SPITTER")
        .antMatchers(HttpMethod.POST, "/spittles").hasRole("SPITTER")
        .anyRequest().permitAll();
}

You can chain as many calls to antMatchers() , regexMatchers() , and anyRequest()
as you need to fully establish the security rules around your web application. You
should know, however, that they’ll be applied in the order given. For that reason, it’s
important to configure the most specific request path patterns first and the least spe-
cific ones (such as anyRequest() ) last. If not, then the least specific paths will trump
the more specific ones.