We're reworking our product to remove the default "anonymousUser" behavior in SpringSecurity and would like to lock down all URLs (via filter security) with the exception of just a few endpoints. What we can't figure out is how to specify "lock down everything except X, Y, and Z"
Our security setup essentially boils down to the following:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// disable anonymous users
.anonymous().disable()
// don't add ROLE_ to the role...
.authorizeRequests()
.regexMatchers("^/", "^/login", "^/mobile/login", "^/api/auth/.*")
.authenticated()
.and()
;
}
}
Other routes I've taken have been akin to :
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// disable anonymous users
.anonymous().disable()
// don't add ROLE_ to the role...
.authorizeRequests()
.antMatchers("/**")
.authenticated()
.antMatchers("/", "/login", "/mobile/login", "/api/auth/**", "/reservations/**")
.permitAll()
.and()
;
}
}
Any advice / input would be appreciated.
Thanks!
Aucun commentaire:
Enregistrer un commentaire