Chyba możesz tak napisać, unikając rozterek pt. co zrobi spring:
.antMatchers("/login", "/testa").permitAll()
Wnioskuję z dokumentacji.
Bez różnicy. Jak zmienie w kontrolerze na np. /login2
i dodam to do ACL również wywala access denied
, a gdy zostawie /login
w ACL i /login2
w kontrolerze to Not found
.
Tak wygląda mój config:
@Override
protected void configure(HttpSecurity http) throws Exception {
final String roleAdmin = "ADMIN";
http
.csrf()
.disable()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/testa").permitAll()
.antMatchers("/search/**").permitAll()
.antMatchers("/js/**").permitAll()
.antMatchers("/css/**").permitAll()
.antMatchers("/api/register/**").permitAll()
.antMatchers("/api/leavemessage").permitAll()
.antMatchers(HttpMethod.POST, "/api/auth").permitAll()
.antMatchers("/api/search").permitAll()
.antMatchers("/api/admin").hasRole(roleAdmin)
.antMatchers("/api/user/password/change").hasAnyRole("USER", roleAdmin)
.antMatchers("/api/user/password/reset").permitAll()
.antMatchers("/api/user/password/reset/confirm/**").permitAll()
.antMatchers("/api/user/details").hasAnyRole("USER", roleAdmin)
.antMatchers("/api/signout").hasAnyRole("USER", roleAdmin)
.anyRequest().authenticated()
.and()
// filter the api/login requests
.addFilterBefore(new JWTLoginFilter("/api/auth", authenticationManager(), userService),
UsernamePasswordAuthenticationFilter.class)
// and filter other requests to check the presence of JWT in header
.addFilterBefore(new JWTAuthenticationFilter(userService),
UsernamePasswordAuthenticationFilter.class);
}