java Spring Boot 安全匿名授权
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/40356150/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring Boot Security Anonymous authorization
提问by user1935987
For multiple purposes I need to use
出于多种目的,我需要使用
SecurityContextHolder.getContext().getAuthentication()
methods in my controllers/services.
我的控制器/服务中的方法。
I did migrate my app to Spring Boot 1.4.1 from XML configured Spring MVC app (now only Java configs), similar approach worked before.
我确实从 XML 配置的 Spring MVC 应用程序(现在只有 Java 配置)将我的应用程序迁移到 Spring Boot 1.4.1,类似的方法以前工作过。
I have a problem calling SecurityContextHolder.getContext().getAuthentication(), for example in this controller:
我在调用 时遇到问题SecurityContextHolder.getContext().getAuthentication(),例如在这个控制器中:
@RestController
@Secured("IS_AUTHENTICATED_ANONYMOUSLY")
@RequestMapping("utils")
public class UtilsController {
@RequestMapping(value = "/check_auth", method = RequestMethod.GET)
public Boolean getAuthState() throws SQLException {
if (SecurityContextHolder.getContext().getAuthentication() == null){
logger.info("Auth obj null");
}
if (SecurityContextHolder.getContext().getAuthentication().getName() != null && SecurityContextHolder.getContext().getAuthentication().getName() != "anonymousUser") {
return true;
} else return false;
}
}
it always returns null. Can't figure out why anonymous authentication is not working.
它总是返回null。无法弄清楚为什么匿名身份验证不起作用。
Here is the Spring Security configuration:
这是Spring Security 配置:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint).and()
.formLogin()
.successHandler(ajaxSuccessHandler)
.failureHandler(ajaxFailureHandler)
.loginProcessingUrl("/authentication")
.passwordParameter("password")
.usernameParameter("username")
.and()
.logout()
.deleteCookies("JSESSIONID")
.invalidateHttpSession(true)
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.and()
.csrf().disable()
// .anonymous().disable()
.authorizeRequests()
// .anyRequest().anonymous()
.antMatchers("/utils").permitAll()
.antMatchers("/oauth/token").permitAll()
.antMatchers("/admin/*").access("hasRole('ROLE_ADMIN')")
.antMatchers("/user/*").access("hasRole('ROLE_USER')");
}
I did tried with and without @Securedannotation on the controller.
我确实尝试过@Secured在控制器上加注和不加注。
.authorizeRequests()
// .anyRequest().anonymous()
.antMatchers("/utils").permitAll()
different variations with this settings.
此设置的不同变化。
采纳答案by Moshe Arad
You are getting nullwith:
您正在获得null:
SecurityContextHolder.getContext().getAuthentication()
because you are not authenticating within you security configuration.
因为您没有在安全配置中进行身份验证。
You can add a simple:
您可以添加一个简单的:
.authenticated()
.and()
// ...
.formLogin();
in case you're using form login.
如果您使用表单登录。
Now after you'll authenticate each request you suppose to get something other than null.
现在,在您对每个请求进行身份验证后,您想得到的不是null.
Here's an example from Spring Security docs:
这是 Spring Security 文档中的一个示例:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**", "/signup", "/about").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")
.anyRequest().authenticated()
.and()
// ...
.formLogin();
}
