我想知道是否有可能为所有用户提供对特定URL的访问权? 我休息控制器:Spring Security,授权访问,拒绝特定的URL
@RestController
@RequestMapping("/travel/")
public class TravelController {
@RequestMapping(value = { "/" }, method = { RequestMethod.POST })
public String newTravel(HttpEntity<String> httpEntity)
{
...
return null;
}
@RequestMapping(value = { "/follow/{travelId}/{email}/" }, method = { RequestMethod.POST })
public ResponseEntity<String> followTravel(@PathVariable int travelId,@PathVariable String email, HttpEntity<String> httpEntity)
{
...
}
我想限制对所有POST身份验证的用户,但授权followTravel()
给所有用户。
我的安全配置是:
@Override
protected void configure(HttpSecurity http) throws Exception
{
http.csrf() //
.disable() //
.authorizeRequests() //
.antMatchers(HttpMethod.POST, "/travel/follow/**") // permit all POST to authenticated
.anonymous() //
.antMatchers(HttpMethod.POST, "/**") // permit all POST to authenticated
.authenticated() //
.antMatchers(HttpMethod.PUT, "/**") // permit all PUT to authenticated
.authenticated() //
.antMatchers(HttpMethod.DELETE, "/**") // permit all DELETE to authenticated
.authenticated() //
.anyRequest() //
.permitAll() //
.and() //
.httpBasic() //
.and() //
.sessionManagement() //
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
// .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
我试过设置
.antMatchers(HttpMethod.POST, "/travel/follow/**") // permit all POST to authenticated
.anonymous() //
之前或之后
.antMatchers(HttpMethod.POST, "/**") // permit all POST to authenticated
.authenticated() //
,但没有成功。我通常在SO中找到答案,但没有为这个答案。
感谢
我的不好,当我尝试它时,我被连接了。所以它在连接时工作,而不是在匿名时工作。 – Avados