1. URL matching control
- From the above rules you can have many URL matching rules and many permission control methods, which are combined to form authorization in Spring Security
- Permission takes the intersection of all matching rules. The configuration sequence affects the authorization effect. The more specific rules are, the more general rules are, the more general rules are, the more specific rules are, the more general rules are
- In authentication, HTTP. AuthorizeRequests () in the configuration class are used to control URLS, that is, authorization (access control), which is mainly implemented by controlling different URL matching. HTTP. Such as HTTP. AuthorizeRequests (). Matching method
Two, URL matching method
1.1 anyRequest ()
- AnyRequest () matches all requests. In general, this method is used. All Settings are authenticated and are usually used as the last rule
// All requests are intercepted, usually for final control
.anyRequest().authenticated();
Copy the code1.2 antMatcher ()
- Matches are made with Ant expressions, which are non-directional arguments, each of which is an Ant expression used to match URL rules
- antMatchers(String… antPatterns)
- The ant expression rules are as follows
- ? : Matches a character
- * : Matches 0 or more characters
- ** : Matches 0 or more directories
- In actual projects, you often need to permit all static resources. In the following example, you need to permit all script files in the JS folder and the CSS folder
.antMatchers("/js/**"."/css/**").permitAll()
Copy the code- Another option is to allow all.js and.css files
.antMatchers("/**/*.js"."/**/*.css").permitAll()
Copy the code1.3 regexMatchers ()
- The main difference between using regular expressions for matching and antMatchers() is the arguments, antMatchers() are Ant expressions and regexMatchers() are regular expressions
- All files ending in. CSS are allowed
.regexMatchers(".*[.]css").permitAll()
Copy the code1.4 HttpMethod
- Both antMatchers() and regexMatchers() have methods with two parameters, one of which is HttpMethod, which indicates the request mode. When HttpMethod is set, it indicates that only the specified request mode is executed
- The built-in properties of the enumerated type HttpMethod are as follows
import java.util.HashMap;
import java.util.Map;
import org.springframework.lang.Nullable;
public enum HttpMethod {
GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS, TRACE;
private static final Map<String, HttpMethod> mappings = new HashMap<>(16);
static {
for(HttpMethod httpMethod : values()) { mappings.put(httpMethod.name(), httpMethod); }}/** * change the given method name to HttpMethod */
@Nullable
public static HttpMethod resolve(@Nullable String method) {
return(method ! =null ? mappings.get(method) : null);
}
/** * Check whether the method name matches */
public boolean matches(String method) {
return (this== resolve(method)); }}Copy the code1.5 mvcMatchers
- MvcMatchers () works when a servletPath is configured in a configuration file
- The servletPath is a common prefix for all urls. In SpringBoot, you can add the following to the configuration file to set the servletPath
spring.mvc.servlet.path=/security
Copy the code- In the Spring Security configuration class.servletPath() 是 mvcMatchers()Return value specific methods, antMatchers() and regexMatchers() do not have this method. MvcMatchers () writes the path set in @requestMapping () in SpringMVC after the servletPath is configured in servletPath()
- Release, go to http://localhost:8888/security/toCss at this time the request all blocked the path
.mvcMatchers("/toCss").servletPath("/security").permitAll()
Copy the code@ResponseBody
@RequestMapping("/toCss")
public String css(a) {
return "redirect:index.css";
}
Copy the code- MvcMatchers () can also be equivalent to antMatchers()
- Extension: You can set the operation permission of a menu, such as /user/delete, to achieve permission control
.antMatchers("/security/toCss").permitAll()
Copy the code