Spring Security permitAll of operations that do not allow anonymous access
- 2021-09-24 22:40:13
- OfStack
Spring Security permitAll () does not allow anonymous access
Before modification
http
.addFilterBefore(muiltpartFilter, ChannelProcessingFilter.class)
.addFilterBefore(cf, ChannelProcessingFilter.class)
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.authorizeRequests()
.antMatchers("/ping**")
.permitAll()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login");After modification
http
.addFilterBefore(muiltpartFilter, ChannelProcessingFilter.class)
.addFilterBefore(cf, ChannelProcessingFilter.class)
.authorizeRequests()
.antMatchers("/ping**")
.permitAll()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login");The order of permitAll () is important, as in the XML configuration, that is, authorizeRequests (). anyRequest (). authenticate comes last
Spring Security @ PreAuthorize Intercept Invalid
1. Use annotations when using spring security
@PreAuthorize("hasAnyRole('ROLE_Admin')")Put the control on the access rights of the method into failure, where the configuration is as follows:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserDetailsService userDetailsService;
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/res/**", "/login/login*").permitAll()
.anyRequest().authenticated()
.and().formLogin().loginPage("/login/login").defaultSuccessUrl("/")
.passwordParameter("password")
.usernameParameter("username")
.and().logout().logoutSuccessUrl("/login/login");
}
}The methods in Controller are as follows:
@Controller
@RequestMapping("/demo")
public class DemoController extends CommonController{
@Autowired
private UserService userService;
@PreAuthorize("hasAnyRole('ROLE_Admin')")
@RequestMapping(value = "user-list")
public void userList() {
}
}Using a user without ROLE_Admin permission to access this method was found to be invalid.
SecurityConfig under Modification 1:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/res/**", "/login/login*").permitAll()
.antMatchers("/demo/user-list").access("hasRole('ROLE_Admin')")
.anyRequest().authenticated()
.and().formLogin().loginPage("/login/login").defaultSuccessUrl("/")
.passwordParameter("password")
.usernameParameter("username")
.and().logout().logoutSuccessUrl("/login/login");
}Add on:
.antMatchers("/demo/user-list").access("hasRole('ROLE_Admin')")It can be intercepted normally, indicating that the method interception is not effective.
If it is based on xml, you need to add:
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" />After changing to Annotation mode, you need to use @ EnableGlobalMethodSecurity (prePostEnabled=true) annotation to open it.
And you need to provide the following methods:
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}To intercept normally.