Spring Security permitAll 不允许匿名访问 [英] Spring Security permitAll not allowing anonymous access

问题描述

我有一个方法，我想允许匿名访问和经过身份验证的访问.

I have a single method that I want to allow both anonymous and authenticated access to.

我使用 Spring Security 3.2.4 和基于 Java 的配置.

I am using Spring Security 3.2.4 with Java based configuration.

覆盖的配置方法(在我的自定义配置类中扩展 WebSecurityConfigurerAdapter)具有以下 http 块:

The overridden configure method (in my custom configuration class extending WebSecurityConfigurerAdapter) has the following http block:

    http
        .addFilterBefore(muiltpartFilter, ChannelProcessingFilter.class)
        .addFilterBefore(cf, ChannelProcessingFilter.class)
        .authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
        .authorizeRequests()
            .antMatchers("/ping**")
            .permitAll()
            .and()
        .formLogin()
            .loginPage("/login")
            .permitAll()
            .and()
        .logout()
            .logoutUrl("/logout")
        .logoutSuccessUrl("/login");

ping 请求处理程序和方法位于还包含登录处理程序的控制器中，并且没有单独的 @PreAuthorize 或其他可能导致问题的注释.

The ping request handler and method is in a controller that also contains the login handler, and it has no separate @PreAuthorize or other annotations that might cause the issue.

问题是匿名访问被拒绝，用户被重定向到登录页面.

The problem is that anonymous access is denied and the user is redirected to the login page.

在调试级别登录，我看到来自 Spring Security 的以下反馈:

Logging at the debug level, I see the following feedback from Spring Security:

[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Secure object: FilterInvocation: URL: /ping; Attributes: [authenticated]
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faad796: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffa64e: RemoteIpAddress: 192.168.2.128; SessionId: 0EF6B13BBA5F00C020FF9C35A6E3FBA9; Granted Authorities: ROLE_ANONYMOUS
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.access.vote.AffirmativeBased] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@123f2882, returned: -1
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.ExceptionTranslationFilter] Access is denied (user is anonymous); redirecting to authentication entry point

我想要完成的是有一个可以在任何时候调用的方法，它会发送一个回复，指示请求是否在登录的会话中.

What I'm trying to accomplish is to have a method that can be called at any point and which will send a reply indicating whether or not the request is inside a logged-in session.

推荐答案

权限顺序很重要，当我这样配置时它会起作用:

The permission order is important, it works when I configure it like this:

.authorizeRequests()
        .antMatchers("/ping**")
        .permitAll()
        .and()
.authorizeRequests()
        .anyRequest()
        .authenticated()
        .and()

这篇关于Spring Security permitAll 不允许匿名访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！