为什么在 Spring Security 中对“anonymousUser"进行身份验证? [英] Why is the 'anonymousUser' authenticated in Spring Security?

问题描述

这是我的主控制器:

package org.demian.demibox.controllers;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@Controller
public class MainController {
    private String getUsername() {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (auth.isAuthenticated())
            return auth.getName();
        else
            return null;
    }
    @RequestMapping(value = "/", method = RequestMethod.GET)
    public String showHome() {
        String username = getUsername();
        System.out.println(username);
        if (username == null || username.length() == 0)
            return "welcome";
        return "index";
    }
}

即使我没有登录，auth.isAuthenticated() 总是返回 true.这是为什么?auth.isAuthenticated() 什么时候会返回 false?如果我没有登录，认证用户的名称是 anonymousUser，如果我已经登录，则用户名是.

Even though I am not logged in, auth.isAuthenticated() always returns true. Why is that? And when would auth.isAuthenticated() return false? The name of the authenticated user is anonymousUser if I'm not logged in and username if I am logged in.

这是我的 security-context.xml 文件:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <security:authentication-manager>
        <security:authentication-provider>
            <security:jdbc-user-service data-source-ref="dataSource" id="jdbcUserService" />
            <!-- <security:password-encoder ref="passwordEncoder" /> -->
        </security:authentication-provider>
    </security:authentication-manager>
    <security:http use-expressions="true">
        <security:intercept-url pattern="/" access="permitAll" />
        <security:intercept-url pattern="/login" access="permitAll" />
        <security:intercept-url pattern="/redeem" access="permitAll" />
        <security:intercept-url pattern="/redeem_code" access="permitAll" />
        <security:intercept-url pattern="/static/**" access="permitAll" />
        <security:intercept-url pattern="/*" access="isAuthenticated()" />
        <security:intercept-url pattern="/**" access="isAuthenticated()" />
        <security:intercept-url pattern="/**" access="denyAll" />
        <security:form-login login-page="/login" authentication-failure-url="/login?error=true" />
        <security:logout logout-success-url="/" />
        <security:remember-me key="offersAppKey" user-service-ref="jdbcUserService" />
    </security:http>
    <security:global-method-security secured-annotations="enabled" />
    <!-- <bean id="passwordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" /> -->
</beans>

web.xml 文件中有以下几行:

<filter>
    <display-name>springSecurityFilterChain</display-name>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

我通过 Maven 使用 Tomcat 8.0 和所有最新的依赖项.

I am using Tomcat 8.0 and all the latest dependencies via Maven.

推荐答案

这是 spring-security 默认的工作方式.

This is how spring-security works by default.

来自文档:

请注意，匿名身份验证"用户和匿名身份验证"用户之间没有真正的概念差异.和未经身份验证的用户.Spring Security 的匿名身份验证只是为您提供了一种更方便的方式来配置您的访问控制属性.例如，对 servlet API 调用(例如 getCallerPrincipal)的调用仍将返回 null，即使 SecurityContextHolder 中实际上存在匿名身份验证对象.

Note that there is no real conceptual difference between a user who is "anonymously authenticated" and an unauthenticated user. Spring Security’s anonymous authentication just gives you a more convenient way to configure your access-control attributes. Calls to servlet API calls such as getCallerPrincipal, for example, will still return null even though there is actually an anonymous authentication object in the SecurityContextHolder.

匿名身份验证在其他情况下很有用，例如当审计拦截器查询 SecurityContextHolder 以确定哪个主体负责给定操作时.如果类知道 SecurityContextHolder 始终包含一个 Authentication 对象，并且从不为 null，则它们可以更健壮地创作.

There are other situations where anonymous authentication is useful, such as when an auditing interceptor queries the SecurityContextHolder to identify which principal was responsible for a given operation. Classes can be authored more robustly if they know the SecurityContextHolder always contains an Authentication object, and never null.

如果您需要检查它是否是 anonymousUser 那么您可以检查 Authentication 对象是否是 AnonymousAuthenticationToken 实例.

If you need to check if it is an anonymousUser then you can check whether Authentication object is AnonymousAuthenticationToken instance or not.

这篇关于为什么在 Spring Security 中对“anonymousUser"进行身份验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！