In my Spring Boot application based on version 1.3.0.BUILD-SNAPSHOT, I have the static resources (images, css, js) in the static folder under resources.
I see some examples related to security configuration like the following:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(final WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/static/**");
}
}
Is that example correct?
What should be the effect?
How to verify that it works (e.g. doing a request to localhost:8080/something?
What cool things can I do with WebSecurity?
Your example mean that Spring (Web) Security is ignoring Url-Pattern that match the Expression you have defined ("/static/**"). This Url is skipped by Security, therefore non-secured.
Allows adding RequestMatcher instances that should that Spring Security should ignore. Web Security provided by Spring Security (including the SecurityContext) will not be available on HttpServletRequest that match. Typically the requests that are registered should be that of only static resources. For requests that are dynamic, consider mapping the request to allow all users instead.
See: http://docs.spring.io/autorepo/docs/spring-security/4.0.0.RELEASE/apidocs/org/springframework/security/config/annotation/web/builders/WebSecurity.html
You can have as many Url-Pattern secured or unsecured.
With Spring Security you have authentication and access-control features for the web layer of an application. You can also restict users who have a specified role to access a partitial Url and so on...
Have a look here:
http://docs.spring.io/spring-security/site/docs/current/reference/html/
Ordering Priority of Url Pattern
When matching the specified patterns against an incoming request, the matching is done in the order in which the elements are declared. So the most specific matches patterns should come first and the most general should come last.
There are multiple children to the http.authorizeRequests() method
each matcher is considered in the order they were declared.
Patterns are always evaluated in the order they are defined. Thus it is important that more specific patterns are defined higher in the list than less specific patterns.
Have a look: http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#filter-security-interceptor
Example 1
Generell use of WebSecurity ignoring() Method omits Spring Security and none of Spring Security’s features will be available.
WebSecurity is based above HttpSecurity. In Xml-Configuration you can write <http pattern="/resources/**" security="none"/>.
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**")
.antMatchers("/publics/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/publics/**").hasRole("USER") // no effect
.anyRequest().authenticated();
}
WebSecurity in the above example let Spring ignoring /resources/** and /publics/** . Therefore the .antMatchers("/publics/**").hasRole("USER") in HttpSecurity is unconsidered.
This will omit the request pattern from the security filter chain entirely.
Note that anything matching this path will then have no authentication or authorization services applied and will be freely accessible.
Example 2
Patterns are always evaluated in order. The below matching is invalid because the first matches every request and will never apply the second match:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**").hasRole("USER")
.antMatchers("/admin/**").hasRole("ADMIN"):
}
Well in the code you shared, if you had your static files i.e. CSS/JS etc in a folder called static then all your static resources will be added to the page whereas if you left out
web.ignoring()
.antMatchers("/static/**");
none of your static resources will be loaded.
Spring Security is extremely powerful, Spring has great documentation so you should just go read about it fully appreciate/understand it.
Here is a
link
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 傲 的文章《Correct use of WebSecurity in WebSecurityConfigure》','https://www.manongdao.com/article-545305.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}