添加密碼保護特定URL

Question

我有我的春季安全配置文件一樣，

package com.wi; 

import org.slf4j.Logger; 
import org.slf4j.LoggerFactory; 
import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.context.annotation.Bean; 
import org.springframework.context.annotation.Configuration; 
import org.springframework.core.annotation.Order; 
import org.springframework.http.HttpStatus; 
import com.wi.HttpAuthenticationEntryPoint; 
import com.wi.filter.AuthenticationFilter; 
import com.wi.HttpLogoutSuccessHandler; 
import com.wi.LogOutHandler; 

/** 
* Web security configuration class 
*/ 
@Configuration 
@EnableWebSecurity 
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) 
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 

private static final Logger logger = LoggerFactory.getLogger(WebSecurityConfig.class); 

@Autowired 
private HttpAuthenticationEntryPoint authenticationEntryPoint; 

@Autowired 
private HttpLogoutSuccessHandler logoutSuccessHandler; 

@Autowired 
private MessageBundleResource messageBundle; 

@Autowired 
private LogOutHandler logoutHandler; 

@Override 
protected void configure(final HttpSecurity http) throws DataException 
{ 
    try 
    { 
     http.csrf().disable().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint).and().headers() 
       .cacheControl().and() 
       .addHeaderWriter(
         new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN)) 
       .and().authorizeRequests() 
       // Allow anonymous resource requests 
       .antMatchers("/").permitAll().antMatchers("/login").permitAll().antMatchers("/pages/**").permitAll() 
       // Allow anonymous logins 
       .antMatchers("/auth/**").permitAll() 

       // Allow test rest 
       .antMatchers("/rest-test/**").permitAll() 

       // Allow invite admin 
       .antMatchers("/rest/user/inviteAdmin").permitAll() 

       // Allow activate user 
       .antMatchers("/rest/user/activateUser").permitAll() 
       // Allow activate admin 
       .antMatchers("/rest/user/activateAdmin").permitAll() 

       // Allow check domain availability 
       .antMatchers("/rest/user/checkDomainAvailability").permitAll() 

       // Allow check company and email active 
       .antMatchers("/rest/company/checkEmailAndCompanyIsActive").permitAll() 

       // Allow check domain by email 
       .antMatchers("/rest/user/getDomainByEmail").permitAll() 

       // Allow reset password 
       .antMatchers("/rest/user/resetPassword").permitAll() 

       // Allow to get messages 
       .antMatchers("/rest/kat/getMessages").permitAll() 
       // upload 
       .antMatchers("/rest/file/upload").permitAll() 

       // Allow get user details 
       .antMatchers("/rest/user/getUserDetails").permitAll() 

       // Allow to get password pattern 
       .antMatchers("/rest/config/getPasswordPattern").permitAll() 

       .antMatchers("/rest/task/getCategories").permitAll() 

       // Allow to get config messages 
       .antMatchers("/rest/config/getTooltip").permitAll() 
       // Allow to get webhook 
       .antMatchers("/rest/integration/jiraWebHook").permitAll() 
       // Allow to get global navigation 
       .antMatchers("/rest/config/getGlobalNavigation").permitAll() 

       .antMatchers("/rest/task/updateTaskDetail").permitAll() 

       .antMatchers("/rest/task/updateTask").permitAll().antMatchers("/error/**").permitAll() 
       // All other request need to be authenticated 
       .antMatchers("/rest/**").authenticated().and().formLogin().loginPage("/login").permitAll().and() 
       .logout().addLogoutHandler(logoutHandler).invalidateHttpSession(true) 
       .logoutSuccessHandler(logoutSuccessHandler).logoutUrl("/rest/session/logout").and() 

       // Custom Token based authentication based on the header 
       // previously given to the client 
       .addFilterBefore(new AuthenticationFilter(authenticationManager()), 
         BasicAuthenticationFilter.class); 

     http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).sessionFixation() 
       .changeSessionId(); 

    } 
    catch(final Exception e) 
    { 
     logger.error("Error", e); 
     throw new DataException(StringConstants.EXCEPTION, 
       messageBundle.getMessage("kat.error.something.went.wrong"), HttpStatus.INTERNAL_SERVER_ERROR); 
    } 

} 

/** 
* 
* @param auth 
*/ 
@Autowired 
public void configureGlobal(final AuthenticationManagerBuilder auth) 
{ 
    auth.authenticationProvider(domainUsernamePasswordAuthenticationProvider()); 

} 

/** 
* 
* @return 
*/ 
@Bean 
public AuthenticationProvider domainUsernamePasswordAuthenticationProvider() 
{ 
    return new UsernamePasswordAuthProvider(); 
} 

} 

如何使用戶提示輸入用戶名和密碼，當他打的URL http://localhost:8080/swagger-ui.html。所有人都可以直接訪問網址爲permitAll()的網址。但是，當用戶點擊http://localhost:8080/swagger-ui.html時，我想春天向他詢問用戶名和密碼。怎麼做？

Answer 1

你有很多配置。基本上，每個螞蟻匹配器即不會被忽略或不被允許，所有的都將受到安全保護，如果您應用了httpBasic或formLogin安全性。

例如從彈簧單證：

protected void configure(HttpSecurity http) throws Exception { 
    http 
     .authorizeRequests()                1 
      .antMatchers("/resources/**", "/signup", "/about").permitAll()     2 
      .antMatchers("/admin/**").hasRole("ADMIN")          3 
      .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")   4 
      .anyRequest().authenticated()             5 
      .and() 
     // ... 
     .formLogin(); 
} 

如果URL以 「/資源/」 開始的任何用戶可以訪問的請求時，等於 「/註冊」，或等於 「/大約」

任何其他路徑將觸發窗體登錄身份驗證