基于Java的配置以启用Spring Security匿名访问 [英] Java based configuration to enable spring security anonymous access

问题描述

我想启用"ROLE_ANONYMOUS" ，以允许匿名访问我的应用程序中的某些网址.我使用了以下配置.

I want to enable the use of "ROLE_ANONYMOUS" to allow anonymous access to some urls in my app. And I used the below configuration.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .requestCache()
            .requestCache(new NullRequestCache()).and()
        .anonymous().authorities("ROLE_ANONYMOUS").and()
        .exceptionHandling().and()
        .servletApi().and()
        .headers().cacheControl().and()
        .authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/profile/image").permitAll()
            .antMatchers("/favicon.ico").permitAll()
            .antMatchers("/resources/**").permitAll()

            //.antMatchers(HttpMethod.GET, "/login/**").permitAll()
            //.antMatchers(HttpMethod.GET, "/location/**").permitAll()

            .anyRequest().authenticated()/*.and()
            .apply(new SpringSocialConfigurer())*/;

        // custom Token based authentication based on the header previously given to the client
        //.addFilterBefore(new StatelessAuthenticationFilter(tokenAuthenticationService), UsernamePasswordAuthenticationFilter.class);
}

我的控制器如下:

@RestController
@RequestMapping(value="/login", produces="application/json")
public class LoginController {


    @Secured( value={"ROLE_ANONYMOUS"})
    @RequestMapping(method=RequestMethod.GET)
    public String get(){
        return "hello";
    }
}

但是，当我尝试点击"/login"时，出现403访问被拒绝的错误. 请帮助我如何启用基于注释的匿名访问.

But when I try to hit "/login" I get 403 access denied error. Please help me how I can enable annotation based anonymous access.

推荐答案

如Faraj Farook所写，您必须允许访问您的登录页面URL.您评论了相关行:

As Faraj Farook wrote, you have to permit access to your login page URL. You commented the relevant line out:

@Override
protected void configure(HttpSecurity http) throws Exception {
     http
        .anonymous()
            .authorities("ROLE_ANONYMOUS")
            .and()
        .headers()
             .cacheControl()
             .and()
        .authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/profile/image").permitAll()
            .antMatchers("/favicon.ico").permitAll()
            .antMatchers("/resources/**").permitAll()

            .antMatchers(HttpMethod.GET, "/login/**").permitAll()

            .anyRequest().authenticated()
}

但是，如果您不想使用permitAll()，则可以使用hasAuthority("ROLE_ANONYMOUS").在这种情况下，您不需要使用 @Secured( value={"ROLE_ANONYMOUS"}).

But if you prefer not to use permitAll() you could use hasAuthority("ROLE_ANONYMOUS"). In this case you don't need to annotate your method with @Secured( value={"ROLE_ANONYMOUS"}).

这篇关于基于Java的配置以启用Spring Security匿名访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！