基于自定义标头的 Spring Security antMatcher 规则

.antMatchers( HttpMethod.POST, "/api/website-user" ).permitAll()

 @PostMapping( headers = "X-Operation-Name=forgot-password" )
   public WebsiteUser forgotPassword( @Valid PasswordResetRequestModel passwordReset )

@PostMapping( headers = "X-Operation-Name=resend-verification" )
   public WebsiteUser resendVerification( Principal principal )

1回答

哈士奇WWW

您始终可以实现一个RequestMatcher来定义您自定义的 HTTP 请求匹配逻辑。如果匹配器为 HTTP 请求返回真值，它将允许该请求访问：public MyRequestMatcher implements RequestMatcher {    boolean matches(HttpServletRequest request){         //Define the matching logic here....         if(request.getHeader("xxx") != null &&            request.getHeader("xxx").equals("yyyy"){             return true;         }         //blablablab    }} 并配置使用这个匹配器： httpSecurity.authorizeRequests().requestMatchers(new MyRequestMatcher()).permitAll();Spring Security 也提供了一些常用的RequestMatcher比如RequestHeaderRequestMatcher和AndRequestMatcher，应该适合你的需求：//This matches if the request has X-Operation-Name header and its value is forgot-passwordRequestHeaderRequestMatcher headerMatcher = new RequestHeaderRequestMatcher("X-Operation-Name","forgot-password" );// This matches if the request is POST to the /api/website-userAntPathRequestMatcher antRequestMatcher = new AntPathRequestMatcher("/api/website-user", HttpMethod.POST)// This matches if both of the above matches matches AndRequestMatcher andMatcher = new AndRequestMatcher(headerMatcher,antRequestMatcher );httpSecurity.authorizeRequests().requestMatchers(andMatcher).permitAll();

0

0

0