SPRING IN ACTION 第4版笔记-第九章Securing web applications-011-把敏感信息请求转为https(requiresChannel())

1.把包含敏感信息的请求转为https请求，则较为安全，但如何只把有需要安全的请求转为https,而不是不加分辩就把所有请求都转为https呢？可以用requiresChannel()

 1 @Override
 2 protected void configure(HttpSecurity http) throws Exception {
 3     http
 4         .authorizeRequests()
 5         .antMatchers("/spitter/me").hasRole("SPITTER")
 6         .antMatchers(HttpMethod.POST, "/spittles").hasRole("SPITTER")
 7         .anyRequest().permitAll();
 8     .and()
 9         .requiresChannel()
10         .antMatchers("/spitter/form").requiresSecure();
11 }

Any time a request comes in for /spitter/form, Spring Security will see that it requires a secure channel (per the call to requiresSecure() ) and automatically redirect the request to go over HTTPS .
Conversely, some pages don’t need to be sent over HTTPS . The home page, for example, doesn’t carry any sensitive information and should be sent over HTTP . You can declare that the home page always be sent over HTTP by using requires-Insecure() instead of requiresSecure :.antMatchers("/").requiresInecure();If a request for / comes in over HTTPS , Spring Security will redirect the request to flow over the insecure HTTP .

时间： 2024-08-27 10:48:46

SPRING IN ACTION 第4版笔记-第九章Securing web applications-011-把敏感信息请求转为https(requiresChannel())的相关文章

SPRING IN ACTION 第4版笔记-第九章Securing web applications-001-SpringSecurity简介(DelegatingFilterProxy、AbstractSecurityWebApplicationInitializer、WebSecurityConfigurerAdapter、@EnableWebSecurity、@EnableWebMvcS)

一.SpringSecurity的模块 At the least, you’ll want to include the Core and Configuration modules in your application’s classpath. Spring Security is often used to secure web applications, and that’s certainly the case with the Spittr application, so you’l

SPRING IN ACTION 第4版笔记-第九章Securing web applications-008-使用非关系型数据库时如何验证用户(自定义UserService)

一. 1.定义接口 Suppose that you need to authenticate against users in a non-relational database suchas Mongo or Neo4j. In that case, you’ll need to implement a custom implementationof the UserDetailsService interface. 1 public interface UserDetailsService

SPRING IN ACTION 第4版笔记-第九章Securing web applications-003-把用户数据存在数据库

一. 1.It’s quite common for user data to be stored in a relational database, accessed via JDBC . To configure Spring Security to authenticate against a JDBC -backed user store,you can use the jdbcAuthentication() method. The minimal configuration requ

SPRING IN ACTION 第4版笔记-第九章Securing web applications-002-把用户数据存在memory里(AuthenticationManagerBuilder、 UserDetailsManagerConfigurer.UserDetailsBuilder)

Spring Security is extremely flexible and is capable of authenticating users against virtually any data store. Several common user store situations—such as in-memory, relational database, and LDAP —are provided out of the box. But you can also create

SPRING IN ACTION 第4版笔记-第九章Securing web applications-011-把敏感信息请求转为https(requiresChannel())

SPRING IN ACTION 第4版笔记-第九章Securing web applications-011-把敏感信息请求转为https(requiresChannel())的相关文章

SPRING IN ACTION 第4版笔记-第九章Securing web applications-001-SpringSecurity简介(DelegatingFilterProxy、AbstractSecurityWebApplicationInitializer、WebSecurityConfigurerAdapter、@EnableWebSecurity、@EnableWebMvcS)

SPRING IN ACTION 第4版笔记-第九章Securing web applications-008-使用非关系型数据库时如何验证用户(自定义UserService)

SPRING IN ACTION 第4版笔记-第九章Securing web applications-003-把用户数据存在数据库

SPRING IN ACTION 第4版笔记-第九章Securing web applications-002-把用户数据存在memory里(AuthenticationManagerBuilder、 UserDetailsManagerConfigurer.UserDetailsBuilder)

SPRING IN ACTION 第4版笔记-第九章Securing web applications-004-对密码加密passwordEncoder

SPRING IN ACTION 第4版笔记-第二章WIRING BEANS-007-以set方法注入<property>\p-namespace\util-space

SPRING IN ACTION 第4版笔记-第二章Wiring Beans-005-<constructor-arg>和c-namespace

SPRING IN ACTION 第4版笔记-第二章[email protected]、@Autowired的用法

SPRING IN ACTION 第4版笔记-第八章Advanced Spring MVC-003-Pizza例子的基本流程