您需要使用正则表达式指定路径变量:
{spring:[a-z]+} matches the regexp [a-z]+ as a path variable named "spring"
如果不这样做,你可能会暴露其他途径。例如:
http .authorizeRequests() .antMatchers(HttpMethod.GET, "https://stackoverflow.com/users/{^[\\d]$}").authenticated() .antMatchers("https://stackoverflow.com/users/**").hasAuthority("admin")
,并在UserController的这些方法:
@ResponseBody
@RequestMapping(value = "https://stackoverflow.com/users/{userId}", method = RequestMethod.GET)
public User getUser(@PathVariable("userId") Object id) {
return userService.getUserById(userId);
}
@ResponseBody
@RequestMapping(value = "https://stackoverflow.com/users/roles", method = RequestMethod.GET)
public List getAllRoles() {
return userService.getAllRoles();
}
因为你没有指定路径变量,userId,用户将能够做的“/用户的GET请求/角色“而不具有管理权限。即使需要管理员授权,其他期货路线(如“/用户/测试”)也将被公开。为了防止这种情况:
antMatchers("/account/{accountId:[\\d+]}/download") .access("hasAnyAuthority('ROLE_TOKENSAVED')")
如果你的路径变量的名称是“帐户ID”