Java Spring Security permitAll() 不允许匿名访问
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24696717/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring Security permitAll() not allowing anonymous access
提问by Marceau
I have a single method that I want to allow both anonymous and authenticated access to.
我有一个方法,我想允许匿名和经过身份验证的访问。
I am using Spring Security 3.2.4 with java based configuration.
我将 Spring Security 3.2.4 与基于 Java 的配置一起使用。
The overridden configure method (in my custom configuration class extending WebSecurityConfigurerAdapter) has the following http block:
覆盖的配置方法(在我扩展 WebSecurityConfigurerAdapter 的自定义配置类中)具有以下 http 块:
http
.addFilterBefore(muiltpartFilter, ChannelProcessingFilter.class)
.addFilterBefore(cf, ChannelProcessingFilter.class)
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.authorizeRequests()
.antMatchers("/ping**")
.permitAll()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login");
The ping request handler and method is in a controller that also contains the login handler, and it has no separate @PreAuthorize or other annotations that might cause the issue.
ping 请求处理程序和方法位于还包含登录处理程序的控制器中,并且它没有单独的 @PreAuthorize 或其他可能导致问题的注释。
The problem is that anonymous access is denied and the user is redirected to the login page.
问题是匿名访问被拒绝,用户被重定向到登录页面。
Logging at the debug level, I see the following feedback from Spring Security:
在调试级别记录日志,我看到来自 Spring Security 的以下反馈:
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Secure object: FilterInvocation: URL: /ping; Attributes: [authenticated]
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faad796: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffa64e: RemoteIpAddress: 192.168.2.128; SessionId: 0EF6B13BBA5F00C020FF9C35A6E3FBA9; Granted Authorities: ROLE_ANONYMOUS
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.access.vote.AffirmativeBased] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@123f2882, returned: -1
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.ExceptionTranslationFilter] Access is denied (user is anonymous); redirecting to authentication entry point
What I'm trying to accomplish is to have a method that can be called at any point and which will send a reply indicating whether or not the request is inside a logged-in session.
我想要完成的是拥有一个可以在任何时候调用的方法,它将发送一个回复,指示请求是否在登录会话中。
回答by PeiSong
I saw the same issue. Make sure you didn't callsuper.configure(http);anyRequest().authenticated();
is called by default.
我看到了同样的问题。确保您没有调用super.configure(http);anyRequest().authenticated();
默认情况下调用。
回答by samsong8610
The permission order is important, it works when I configure it like this:
权限顺序很重要,当我像这样配置它时它会起作用:
.authorizeRequests()
.antMatchers("/ping**")
.permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
回答by Kris
Need to add .annonymous()
需要添加.anonymous()
http
.addFilterBefore(muiltpartFilter, ChannelProcessingFilter.class)
.addFilterBefore(cf, ChannelProcessingFilter.class)
.anonymous().and()
.authorizeRequests().anyRequest().authenticated().and()
.authorizeRequests()
.antMatchers("/ping**")
.permitAll()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login");
Referred from: https://stackoverflow.com/a/25280897/256245
