Spring Security（十四）：5.4 Authorize Requests

Our examples have only required users to be authenticated and have done so for every URL in our application. We can specify custom requirements for our URLs by adding multiple children to our http.authorizeRequests() method. For example:

我们的示例仅要求用户进行身份验证，并且已针对应用程序中的每个URL进行了身份验证。我们可以通过向http.authorizeRequests（）方法添加多个子项来指定URL的自定义要求。例如：

 

protected void configure(HttpSecurity http) throws Exception {
	http
		.authorizeRequests()                                                                1
			.antMatchers("/resources/**", "/signup", "/about").permitAll()                  2
			.antMatchers("/admin/**").hasRole("ADMIN")                                      3
			.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")            4
			.anyRequest().authenticated()                                                   5
			.and()
		// ...
		.formLogin();
}

1、There are multiple children to the http.authorizeRequests() method each matcher is considered in the order they were declared.

http.authorizeRequests（）方法有多个子节点，每个匹配器按其声明的顺序进行考虑。

2、We specified multiple URL patterns that any user can access. Specifically, any user can access a request if the URL starts with "/resources/", equals "/signup", or equals "/about".

我们指定了任何用户都可以访问的多种URL模式。具体来说，如果URL以“/ resources /”开头，等于“/ signup”或等于“/ about”，则任何用户都可以访问请求。

3、Any URL that starts with "/admin/" will be restricted to users who have the role "ROLE_ADMIN". You will notice that since we are invoking the hasRole method we do not need to specify the "ROLE_" prefix.

任何以“/ admin /”开头的URL都将仅限于具有“ROLE_ADMIN”角色的用户。您会注意到，由于我们正在调用hasRole方法，因此我们不需要指定“ROLE_”前缀。

4、Any URL that starts with "/db/" requires the user to have both "ROLE_ADMIN" and "ROLE_DBA". You will notice that since we are using the hasRole expression we do not need to specify the "ROLE_" prefix.

任何以“/ db /”开头的URL都要求用户同时拥有“ROLE_ADMIN”和“ROLE_DBA”。您会注意到，由于我们使用的是hasRole表达式，因此我们不需要指定“ROLE_”前缀。

5、Any URL that has not already been matched on only requires that the user be authenticated

任何尚未匹配的URL只需要对用户进行身份验证

 

5.5 Handling Logouts 处理注销

When using the WebSecurityConfigurerAdapter, logout capabilities are automatically applied. The default is that accessing the URL /logout will log the user out by:

使用WebSecurityConfigurerAdapter时，会自动应用注销功能。默认情况下，访问URL / logout将通过以下方式记录用户：

• Invalidating the HTTP Session
• 使HTTP会话无效
• Cleaning up any RememberMe authentication that was configured
• 清理已配置的任何RememberMe身份验证
• Clearing the SecurityContextHolder
• 清除SecurityContextHolder
• Redirect to /login?logout
• 重定向到/ login？logout

Similar to configuring login capabilities, however, you also have various options to further customize your logout requirements:

但是，与配置登录功能类似，您还可以使用各种选项来进一步自定义注销要求：

protected void configure(HttpSecurity http) throws Exception {
	http
		.logout()                                                                1
			.logoutUrl("/my/logout")                                                 2
			.logoutSuccessUrl("/my/index")                                           3
			.logoutSuccessHandler(logoutSuccessHandler)                              4
			.invalidateHttpSession(true)                                             5
			.addLogoutHandler(logoutHandler)                                         6
			.deleteCookies(cookieNamesToClear)                                       7
			.and()
		...
}

1、Provides logout support. This is automatically applied when using WebSecurityConfigurerAdapter.

提供注销支持。使用WebSecurityConfigurerAdapter时会自动应用此选项。

2、The URL that triggers log out to occur (default is /logout). If CSRF protection is enabled (default), then the request must also be a POST. For more information, please consult the JavaDoc.

触发注销的URL（默认为/ logout）。如果启用了CSRF保护（默认），则该请求也必须是POST。有关更多信息，请参阅JavaDoc。

3、The URL to redirect to after logout has occurred. The default is /login?logout. For more information, please consult the JavaDoc.

注销后重定向到的URL。默认为/ login？logout。有关更多信息，请参阅JavaDoc。

4、Let’s you specify a custom LogoutSuccessHandler. If this is specified, logoutSuccessUrl() is ignored. For more information, please consult the JavaDoc.

我们指定一个自定义的LogoutSuccessHandler。如果指定了此参数，则忽略logoutSuccessUrl（）。有关更多信息，请参阅JavaDoc。

5、Specify whether to invalidate the HttpSession at the time of logout. This is true by default. Configures the SecurityContextLogoutHandler under the covers. For more information, please consult the JavaDoc.

指定在注销时是否使HttpSession无效。默认情况下这是真的。配置封面下的SecurityContextLogoutHandler。有关更多信息，请参阅JavaDoc。

6、Adds a LogoutHandler. SecurityContextLogoutHandler is added as the last LogoutHandler by default.

添加LogoutHandler。默认情况下，SecurityContextLogoutHandler被添加为最后一个LogoutHandler。

7、Allows specifying the names of cookies to be removed on logout success. This is a shortcut for adding a CookieClearingLogoutHandler explicitly.

允许指定在注销成功时删除的cookie的名称。这是显式添加CookieClearingLogoutHandler的快捷方式。

 

Logouts can of course also be configured using the XML Namespace notation. Please see the documentation for the logout element in the Spring Security XML Namespace section for further details.

当然也可以使用XML命名空间表示法配置注销。有关更多详细信息，请参阅Spring Security XML Namespace部分中logout元素的文档。

 

Generally, in order to customize logout functionality, you can add LogoutHandler and/or LogoutSuccessHandler implementations. For many common scenarios, these handlers are applied under the covers when using the fluent API.

通常，为了自定义注销功能，您可以添加LogoutHandler和/或LogoutSuccessHandler实现。对于许多常见场景，这些处理程序在使用流畅的API时应用于幕后。

5.5.1 LogoutHandler （登出处理）

Generally, LogoutHandler implementations indicate classes that are able to participate in logout handling. They are expected to be invoked to perform necessary clean-up. As such they should not throw exceptions. Various implementations are provided:

通常，LogoutHandler实现指示能够参与注销处理的类。预计将调用它们以进行必要的清理。因此，他们不应该抛出异常。提供了各种实现：

 

• PersistentTokenBasedRememberMeServices
• TokenBasedRememberMeServices
• CookieClearingLogoutHandler
• CsrfLogoutHandler
• SecurityContextLogoutHandler

Please see Section 17.4, “Remember-Me Interfaces and Implementations” for details.

有关详细信息，请参见第17.4节“记住我的接口和实现”。

 

Instead of providing LogoutHandler implementations directly, the fluent API also provides shortcuts that provide the respective LogoutHandler implementations under the covers. E.g. deleteCookies() allows specifying the names of one or more cookies to be removed on logout success. This is a shortcut compared to adding aCookieClearingLogoutHandler.

 

而不是直接提供LogoutHandler实现，流畅的API还提供了快捷方式，提供了相应的LogoutHandler实现。例如。 deleteCookies（）允许指定在注销成功时删除的一个或多个cookie的名称。与添加CookieClearingLogoutHandler相比，这是一种快捷方式。

 

The following implementations are provided:

提供以下实现：

• SimpleUrlLogoutSuccessHandler
• HttpStatusReturningLogoutSuccessHandler

As mentioned above, you don’t need to specify the SimpleUrlLogoutSuccessHandler directly. Instead, the fluent API provides a shortcut by setting the logoutSuccessUrl(). This will setup the SimpleUrlLogoutSuccessHandler under the covers. The provided URL will be redirected to after a logout has occurred. The default is /login?logout.

如上所述，您不需要直接指定SimpleUrlLogoutSuccessHandler。相反，fluent API通过设置logoutSuccessUrl（）来提供快捷方式。这将在封面下设置SimpleUrlLogoutSuccessHandler。发生注销后，提供的URL将重定向到。默认为/ login？logout。

 

 

5.5.3 Further Logout-Related References

• Logout Handling
• Testing Logout
• HttpServletRequest.logout()
• Section 17.4, “Remember-Me Interfaces and Implementations”
• Logging Out in section CSRF Caveats
• Section Single Logout (CAS protocol)
• Documentation for the logout element in the Spring Security XML Namespace section