Spring Security – Configuring Different URLs – Spring Security – 配置不同的URLs

最后修改: 2022年 2月 20日

中文/混合/英文(键盘快捷键:t)

1. Overview

1.概述

In this tutorial, we’ll look at how to configure Spring Security to use different security configurations for different URL patterns.

在本教程中,我们将看看如何配置Spring Security,以便对不同的URL模式使用不同的安全配置。

This is helpful when an application requires more security for certain operations while others are permitted for all users.

当一个应用程序对某些操作需要更多的安全保障,而其他操作则允许所有用户使用时,这就很有帮助。

2. Setup

2.设置

Let’s start by setting up the application.

让我们从设置应用程序开始。

We’ll need the Web and Security dependencies to create this service. Let’s start by adding the following dependencies to the pom.xml file:

我们需要WebSecurity依赖项来创建这个服务。让我们首先将以下依赖项添加到pom.xml文件中。

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency> 
    <groupId>org.springframework.boot</groupId> 
    <artifactId>spring-boot-starter-security</artifactId> 
</dependency>

3. Create the APIs

3.创建API

We’ll create a RESTful web service with two APIs: a Product API and a Customer API. To achieve this, we’re going to set up two controllers.

我们将创建一个具有两个API的RESTful网络服务:一个产品API和一个客户API。为了实现这一目标,我们将设置两个控制器。

3.1. Product API

3.1.产品API

Let’s create the ProductController. It contains a single method, getProducts, which returns a list of products:

让我们创建ProductController。它包含一个方法,getProducts,返回一个产品的列表。

@RestController("/products")
public class ProductController {
    
    @GetMapping
    public List<Product> getProducts() {
        return new ArrayList<>(Arrays.asList(
          new Product("Product 1", "Description 1", 1.0),
          new Product("Product 2", "Description 2", 2.0)
        ));
    }
}

3.2. Customer API

3.2.客户API

Similarly, let’s define the CustomerController: 

同样地,让我们定义CustomerController。

@RestController("/customers")
public class CustomerController {
    
    @GetMapping("/{id}")
    public Customer getCustomerById(@PathVariable("id") String id) {
        return new Customer("Customer 1", "Address 1", "Phone 1");
    }
}

In a typical web application, all users, including guest users can get a list of products.

在一个典型的网络应用中,所有的用户,包括访客用户都可以得到一个产品的清单。

However, getting a customer’s detail by their ID seems like something only an admin can do. So we’ll define our security configuration in a way that can enable this.

然而,通过客户的ID来获取客户的详细信息,似乎只有管理员才能做到。因此,我们将定义我们的安全配置,使其能够实现。

4. Set Up the Security Configuration

4.设置安全配置

When we add Spring Security to the project, it will disable access to all APIs by default. So we’ll need to configure Spring Security to allow access to the APIs.

当我们在项目中添加Spring Security时,它将默认禁止对所有API的访问。所以我们需要配置Spring Security以允许对API的访问。

Let’s create the SecurityConfiguration class:

我们来创建SecurityConfiguration类。

@Configuration
public class SecurityConfiguration {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/products/**")
            .permitAll()
            .and()
            .authorizeRequests()
            .antMatchers("/customers/**")
            .hasRole("ADMIN")
            .anyRequest()
            .authenticated()
            .and()
            .httpBasic();
        return http.build();
    }
}

Here we’ve created a SecurityFilterChain bean to configure the security for the application.

在这里,我们创建了一个SecurityFilterChain bean来配置应用程序的安全性。

Additionally, to prepare for basic authentication, we need to configure users for our application.

此外,为了准备基本认证,我们需要为我们的应用程序配置用户

We’ll read each part of the code to understand it better.

我们将阅读代码的每一部分以更好地理解它。

4.1. Allowing Requests to the Products API

4.1.允许对产品API的请求

  • authorizeRequests(): This method tells Spring to use the following rules while authorizing requests.
  • antMatchers(“/products/**”): This specifies the URL patterns for which the security configuration applies. We are chaining it with a permitAll() action. If a request contains “/products” in its path, it is allowed to go to the controller.
  • We can add more rules to our configuration using the and() method.

This marks the end of one chain of rules. The other rules which follow will also be applied to the requests. So we need to make sure our rules do not conflict with each other. A good practice is to define generic rules at the top and more specific rules at the bottom.

这标志着一个规则链的结束。接下来的其他规则也将被应用于这些请求。所以我们需要确保我们的规则不会相互冲突。一个好的做法是,在顶部定义通用规则,在底部定义更具体的规则。

4.2. Allow Only Admin Access to the Customer API

4.2.只允许管理员访问客户的API

Now let’s look at the second part of the configuration:

现在让我们来看看配置的第二部分。

  • To start a new rule, we can once again use the authorizeRequests() method.
  • antMatchers(“/customers/**”).hasRole(“ADMIN”): If the URL contains “/customers” in the path, we check that the user making the request has the role ADMIN.

If the user is not authenticated, this will lead to a “401 Unauthorized” error. If the user does not have the correct role, this will lead to a “403 Forbidden” error.

如果用户没有经过认证,这将导致一个 “401未授权 “的错误。如果用户没有正确的角色,这将导致一个 “403禁止 “的错误。

4.3. Default Rule

4.3.默认规则

We have added matches to match certain requests. Now we need to define some default behavior for the rest of the requests.

我们已经添加了匹配某些请求的匹配。现在我们需要为其余的请求定义一些默认行为。

anyRequest().authenticated()anyRequest() defines a rule chain for any request which did not match the previous rules. In our case, such requests will be passed as long as they are authenticated.

anyRequest().authenticated()anyRequest()为任何不符合先前规则的请求定义了一个规则链。在我们的案例中,只要这些请求经过认证,就会被通过。

Please note that there can be only one default rule in the configuration, and it needs to be at the end. If we try to add a rule after adding a default rule, we get an error – “Can’t configure antMatchers after anyRequest”.

请注意,配置中只能有一个默认规则,而且需要放在最后。如果我们试图在添加默认规则之后再添加规则,我们会得到一个错误–“不能在anyRequest之后配置antMatchers”。

5. Testing

5.测试

Let’s test both APIs using cURL.

让我们用cURL测试一下这两个API。

5.1. Test the Product API

5.1.测试产品的API

$ curl -i http://localhost:8080/products
[
  {
    "name": "Product 1",
    "description": "Description 1",
    "price": 1.0
  },
  {
    "name": "Product 2",
    "description": "Description 2",
    "price": 2.0
  }
]

We get the two products in response as expected.

我们如期得到了这两种产品的回应。

5.2. Test the Customer API

5.2.测试客户API

$ curl -i http://localhost:8080/customers/1

The response body is empty.

响应体是空的。

If we check the header, we’ll see “401 Unauthorized” status. This is because access to the Customer API is only allowed for authenticated users with the role ADMIN.

如果我们检查标头,我们会看到 “401未授权 “的状态。这是因为只有具有ADMIN角色的认证用户才可以访问客户API。

Now let’s try again after adding authentication information to the request:

现在让我们在向请求添加认证信息后再试一次。

$ curl -u admin:password -i http://localhost:8080/customers/1 
{
  "name": "Customer 1",
  "address": "Address 1",
  "phone": "Phone 1"
}

Great! We can now access the Customer API.

很好!我们现在可以访问客户API了。

6. Conclusion

6.结语

In this tutorial, we learned how to set up Spring Security in a Spring Boot application. We also covered configuring access specific to a URL pattern using the antMatchers() method.

在本教程中,我们学习了如何在Spring Boot应用程序中设置Spring Security。我们还介绍了使用antMatchers()方法配置特定于URL模式的访问。

As usual, the code for this tutorial can be found over on GitHub.

像往常一样,本教程的代码可以在GitHub上找到超过