Spring安全性,无论是HTTP基本认证还是表单登录认证 [英] Spring security, either http basic or form login authentication
问题描述
我有一个使用Spring MVC和Spring Security 3.2开发的Web应用程序.我希望我的应用程序使用http基本身份验证提供安心的服务,并为其他部分使用表单登录身份验证.下面是我的安全配置:
I have a web app developed using spring mvc and spring security 3.2. I want my app using http basic authentication for restful service and form login authentication for other part. Below is my security configuration:
<http pattern="/services/**" create-session="stateless" use-expressions="true">
<intercept-url pattern="/**" access="hasRole('ROLE_REMOTE,ROLE_USER')"/>
<http-basic />
</http>
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/static/**" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/login.do" always-use-default-target="true" default-target-url="/main.do" />
<logout invalidate-session="true" logout-success-url="/login.do"
logout-url="/j_spring_security_logout" />
</http>
我期望的是:当用户从表单登录时,它可以调用静态服务,而无需通过基本身份验证(因为它已经被身份验证).我的想法是,具有角色"ROLE_USER"的用户也应该调用restful服务.但是,我得到的是从表单登录后,还提示我进行基本身份验证,尝试从浏览器中调用Restful服务.
what I expect is: when a user login from the form, then it can invoke the restful service without go through basic authentication (Since it has been authenticated). My thought is that a user with role 'ROLE_USER' should also call the restful service. However, what I got is after I logined from the form, I was also prompted to do basic authentication trying to call the restful service from browser.
反正有得到我期望的东西吗?
Is there anyway to get what I expect?
推荐答案
The answer could be in the description of the create-session
attribute:
-
never
-Spring Security永远不会创建会话,但如果应用程序创建会话,则会使用一个会话. -
stateless
-Spring Security将不会创建会话,并且会忽略该会话以获取Spring身份验证.
never
- Spring Security will never create a session, but will make use of one if the application does.stateless
- Spring Security will not create a session and ignore the session for obtaining a Spring Authentication.
由于您选择了stateless
,因此在忽略表单登录后,auth对象将保留在会话中.尝试never
是否按预期工作.
Since you chose stateless
the auth object persisted in the session after the form-login is ignored. Try if never
works as you expect.
这篇关于Spring安全性,无论是HTTP基本认证还是表单登录认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!