您需要
antMatcher多个
HttpSecurity,请参阅SpringSecurity Reference:
5.7多个HttpSecurity
我们可以配置多个HttpSecurity实例,就像我们可以拥有多个
<http>块一样。关键是要
WebSecurityConfigurationAdapter多次扩展。例如,以下是对以开头的URL具有不同配置的示例
/api/。
@EnableWebSecurity public class MultiHttpSecurityConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { 1auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER").and() .withUser("admin").password("password").roles("USER", "ADMIN"); } @Configuration @Order(1) 2 public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/api/**") 3 .authorizeRequests() .anyRequest().hasRole("ADMIN") .and() .httpBasic();} } @Configuration 4 public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin();} } }1正常配置身份验证
2创建一个
WebSecurityConfigurerAdapter包含的实例,
@Order以指定
WebSecurityConfigurerAdapter应首先考虑的对象。
3
http.antMatcher指出这
HttpSecurity仅适用于以开头的URL
/api/
4创建的另一个实例
WebSecurityConfigurerAdapter。如果URL不以
/api/该配置开头,则将使用此配置。以后考虑此配置,
ApiWebSecurityConfigurationAdapter因为它的
@Order值是after
1(没有
@Order默认值是last)。
在您的情况下,您不需要
antMatcher,因为您只有一种配置。您修改的代码:
http .authorizeRequests() .antMatchers("/high_level_url_A/sub_level_1").hasRole('USER') .antMatchers("/high_level_url_A/sub_level_2").hasRole('USER2') .somethingElse() // for /high_level_url_A/** .antMatchers("/high_level_url_A/**").authenticated() .antMatchers("/high_level_url_B/sub_level_1").permitAll() .antMatchers("/high_level_url_B/sub_level_2").hasRole('USER3') .somethingElse() // for /high_level_url_B/** .antMatchers("/high_level_url_B/**").authenticated() .anyRequest().permitAll()
