spring security拦截说明

formLogin和httpBasic问题

以下只拦截/myoauth/**，而且formLogin()和httpBasic()同时存在时，formLogin优先

       http.authorizeRequests()
                .antMatchers("/myoauth/**").authenticated()
                .and()
                .httpBasic()
                .and()
               .formLogin().and()
              .csrf().disable();

拦截不同情况测试

创建3个controller，t1，t2，t3，这里只距离t1，而t2、t3按照下面修改下即可。

@RestController
@RequestMapping("/t1")
public class T1Controller {

    @GetMapping("/test")
    public String t1(){
        return "t1";
    }
}

以下是securityConfig的配置

@Configuration
public class MySc extends WebSecurityConfigurerAdapter {


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //http.antMatcher("/t1/**").authorizeRequests().anyRequest().authenticated();
        //http.authorizeRequests().antMatchers("/t2/**").authenticated();
        //http.authorizeRequests().antMatchers("/t2/**").permitAll().anyRequest().authenticated();
        http.authorizeRequests().antMatchers("/t2/**").authenticated().anyRequest().permitAll();
    }
}

http.authorizeRequests().antMatchers("/t2/**").authenticated().anyRequest().permitAll(); 这种情况，只拦截/t2(报403错误)，而t1、t3均可以自由访问

http.antMatcher("/t1/**").authorizeRequests().anyRequest().authenticated(); 这种情况，只拦截/t1(报403错误)，而t2、t3均可以自由访问

http.authorizeRequests().antMatchers("/t3/**").authenticated(); 这种情况，只拦截/t3(报403错误)，而t2、t1均可以自由访问

http.authorizeRequests().antMatchers("/t2/**").permitAll().anyRequest().authenticated(); 这种情况，只有t2能自由访问，而t3、t1均被拦截