Fork自 开发云 / Spring 中文文档社区
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
(window.webpackJsonp=window.webpackJsonp||[]).push([[536],{965:function(t,e,n){"use strict";n.r(e);var a=n(56),r=Object(a.a)({},(function(){var t=this,e=t.$createElement,n=t._self._c||e;return n("ContentSlotsDistributor",{attrs:{"slot-key":t.$parent.slotKey}},[n("h1",{attrs:{id:"授权-serverhttprequest"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#授权-serverhttprequest"}},[t._v("#")]),t._v(" 授权 ServerHttpRequest")]),t._v(" "),n("p",[t._v("Spring 安全性为授权传入的 HTTP 请求提供了支持。默认情况下, Spring Security 的授权将要求对所有请求进行身份验证。显式配置如下所示:")]),t._v(" "),n("p",[t._v("例 1。所有请求都需要经过身份验证的用户。")]),t._v(" "),n("p",[t._v("爪哇")]),t._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[t._v("@Bean\nSecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {\n http\n .authorizeExchange(exchanges -> exchanges\n .anyExchange().authenticated()\n )\n .httpBasic(withDefaults())\n .formLogin(withDefaults());\n return http.build();\n}\n")])])]),n("p",[t._v("Kotlin")]),t._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[t._v("@Bean\nfun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {\n return http {\n authorizeExchange {\n authorize(anyExchange, authenticated)\n }\n formLogin { }\n httpBasic { }\n }\n}\n")])])]),n("p",[t._v("我们可以通过按优先级顺序添加更多规则来配置 Spring 安全性,使其具有不同的规则。")]),t._v(" "),n("p",[t._v("例 2。多个授权请求规则")]),t._v(" "),n("p",[t._v("爪哇")]),t._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[t._v('import static org.springframework.security.authorization.AuthorityReactiveAuthorizationManager.hasRole;\n// ...\n@Bean\nSecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) {\n\t// @formatter:off\n\thttp\n\t\t// ...\n\t\t.authorizeExchange((authorize) -> authorize (1)\n\t\t\t.pathMatchers("/resources/**", "/signup", "/about").permitAll() (2)\n\t\t\t.pathMatchers("/admin/**").hasRole("ADMIN") (3)\n\t\t\t.pathMatchers("/db/**").access((authentication, context) -> (4)\n\t\t\t\thasRole("ADMIN").check(authentication, context)\n\t\t\t\t\t.filter(decision -> !decision.isGranted())\n\t\t\t\t\t.switchIfEmpty(hasRole("DBA").check(authentication, context))\n\t\t\t)\n\t\t\t.anyExchange().denyAll() (5)\n\t\t);\n\t// @formatter:on\n\treturn http.build();\n}\n')])])]),n("p",[t._v("Kotlin")]),t._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[t._v('@Bean\nfun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {\n return http {\n authorizeExchange { (1)\n authorize(pathMatchers("/resources/**", "/signup", "/about"), permitAll) (2)\n authorize("/admin/**", hasRole("ADMIN")) (3)\n authorize("/db/**", { authentication, context -> (4)\n hasRole("ADMIN").check(authentication, context)\n .filter({ decision -> !decision.isGranted() })\n .switchIfEmpty(hasRole("DBA").check(authentication, context))\n })\n authorize(anyExchange, denyAll) (5)\n }\n // ...\n }\n}\n')])])]),n("table",[n("thead",[n("tr",[n("th",[n("strong",[t._v("1")])]),t._v(" "),n("th",[t._v("指定了多个授权规则。"),n("br"),t._v("每个规则都按照它们被声明的顺序被考虑。")])])]),t._v(" "),n("tbody",[n("tr",[n("td",[n("strong",[t._v("2")])]),t._v(" "),n("td",[t._v("我们指定了任何用户都可以访问的多个 URL 模式。"),n("br"),t._v("具体来说,如果 URL 以“/resources/”开头,等于“/signup”或等于“/about”,则任何用户都可以访问请求。")])]),t._v(" "),n("tr",[n("td",[n("strong",[t._v("3")])]),t._v(" "),n("td",[t._v("任何以“/admin/”开头的 URL 都将被限制为具有“role_admin”权限的用户。"),n("br"),t._v("你将注意到,由于我们正在调用"),n("code",[t._v("hasRole")]),t._v("方法,因此我们不需要指定“role_”前缀。")])]),t._v(" "),n("tr",[n("td",[n("strong",[t._v("4")])]),t._v(" "),n("td",[t._v("任何以“/db/”开头的 URL 都需要用户同时具有“role_admin”和“role_DBA”。"),n("br"),t._v("这表明了提供自定义"),n("code",[t._v("ReactiveAuthorizationManager")]),t._v("的灵活性,允许我们实现任意的授权逻辑。"),n("br"),t._v("为了简单起见,示例使用 lambda 并将其委托给现有的"),n("code",[t._v("AuthorityReactiveAuthorizationManager.hasRole")]),t._v("实现。"),n("br"),t._v("但是,在实际情况下,应用程序可能会在实现"),n("code",[t._v("ReactiveAuthorizationManager")]),t._v("的适当类中实现该逻辑。")])]),t._v(" "),n("tr",[n("td",[n("strong",[t._v("5")])]),t._v(" "),n("td",[t._v("任何尚未匹配的 URL 都将被拒绝访问。"),n("br"),t._v("如果你不想意外地忘记更新授权规则,这是一个很好的策略。")])])])])])}),[],!1,null,null,null);e.default=r.exports}}]);
