Spring Security配置免验证访问策略
针对特定资源无需身份验证的情况,可通过两种方式实现访问控制:
- 通过HttpSecurity定义路径权限规则
- 利用WebSecurityCustomizer跳过安全过滤器
一、HttpSecurity权限配置
Spring Security通过以下方法管理访问控制:
- authenticated():仅限已认证用户访问
- anonymous():仅限匿名用户访问
- permitAll():允许所有用户访问
示例场景需求:
- /api/secure/** 需要登录访问
- /api/public/products 公开访问
- /api/public/register 仅限未登录用户
- 其他路径默认公开
创建测试接口:
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class StoreController {
@GetMapping("/api/secure/cart")
public String getCart() {
return "Cart Data";
}
@GetMapping("/api/public/products")
public String getProducts() {
return "Product List";
}
@GetMapping("/api/public/register")
public String userRegister() {
return "Registration Form";
}
@GetMapping("/api/test")
public String testEndpoint() {
return "Test Access";
}
}
配置安全规则:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class SecurityConfig{
@Bean
public UserDetailsService userAccountManager() {
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withDefaultPasswordEncoder().username("admin").password("pass123").roles("ADMIN").build());
manager.createUser(User.withDefaultPasswordEncoder().username("user").password("user123").roles("USER").build());
return manager;
}
@Bean
public SecurityFilterChain securityChain(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/secure/**").authenticated()
.antMatchers("/api/public/products").permitAll()
.antMatchers("/api/public/register").anonymous()
.anyRequest().permitAll()
.and()
.formLogin()
.and()
.httpBasic();
return http.build();
}
}
测试验证: 未登录状态访问:
- /api/test 返回200
- /api/public/products 返回200
- /api/public/register 返回200
- /api/secure/cart 重定向到登录页
登录后访问:
- /api/public/register 返回403
- /api/secure/cart 正常访问
二、WebSecurityCustomizer免验证配置
该方式通过直接排除路径规避安全过滤器链,适用于全局公开路径:
需求场景:
- /api/public/** 无需验证
- 其他路径需要认证
配置示例:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
@Configuration
public class SecurityConfig{
@Bean
public WebSecurityCustomizer ignoreSecurity() {
return (web) -> web
.ignoring()
.antMatchers("/api/public/*");
}
}
测试验证: 未登录状态访问:
- /api/test 重定向登录
- /api/public/products 返回200
- /api/secure/cart 重定向登录
登录后访问:
- /api/public/register 返回200
- /api/secure/cart 正常访问