Securing web applications-011-把敏感信息请求转为https(requiresChannel())

Posted 2020-07-02 shamgod

1.把包含敏感信息的请求转为https请求，则较为安全，但如何只把有需要安全的请求转为https,而不是不加分辩就把所有请求都转为https呢？可以用requiresChannel()

 1 @Override
 2 protected void configure(HttpSecurity http) throws Exception {
 3     http
 4         .authorizeRequests()
 5         .antMatchers("/spitter/me").hasRole("SPITTER")
 6         .antMatchers(HttpMethod.POST, "/spittles").hasRole("SPITTER")
 7         .anyRequest().permitAll();
 8     .and()
 9         .requiresChannel()
10         .antMatchers("/spitter/form").requiresSecure();
11 }

Any time a request comes in for /spitter/form, Spring Security will see that it requires a secure channel (per the call to requiresSecure() ) and automatically redirect the request to go over HTTPS .
Conversely, some pages don’t need to be sent over HTTPS . The home page, for example, doesn’t carry any sensitive information and should be sent over HTTP . You can declare that the home page always be sent over HTTP by using requires-Insecure() instead of requiresSecure :.antMatchers("/").requiresInecure();If a request for / comes in over HTTPS , Spring Security will redirect the request to flow over the insecure HTTP .