为什么“anonymousUser”Spring Security的认证？ [英] Why is the 'anonymousUser' authenticated in Spring Security?

问题描述

这是我的主控制器：

package org.demian.demibox.controllers;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@Controller
public class MainController {
    private String getUsername() {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (auth.isAuthenticated())
            return auth.getName();
        else
            return null;
    }
    @RequestMapping(value = "/", method = RequestMethod.GET)
    public String showHome() {
        String username = getUsername();
        System.out.println(username);
        if (username == null || username.length() == 0)
            return "welcome";
        return "index";
    }
}

即使我没有登录， auth.isAuthenticated（）总是返回真正。这是为什么？而当将 auth.isAuthenticated（）返回假的？经过身份验证的用户的名称是 anonymousUser 如果我没有登录和用户名，如果我在我登录。

Even though I am not logged in, auth.isAuthenticated() always returns true. Why is that? And when would auth.isAuthenticated() return false? The name of the authenticated user is anonymousUser if I'm not logged in and username if I am logged in.

这是我的安全context.xml中文件：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <security:authentication-manager>
        <security:authentication-provider>
            <security:jdbc-user-service data-source-ref="dataSource" id="jdbcUserService" />
            <!-- <security:password-encoder ref="passwordEncoder" /> -->
        </security:authentication-provider>
    </security:authentication-manager>
    <security:http use-expressions="true">
        <security:intercept-url pattern="/" access="permitAll" />
        <security:intercept-url pattern="/login" access="permitAll" />
        <security:intercept-url pattern="/redeem" access="permitAll" />
        <security:intercept-url pattern="/redeem_code" access="permitAll" />
        <security:intercept-url pattern="/static/**" access="permitAll" />
        <security:intercept-url pattern="/*" access="isAuthenticated()" />
        <security:intercept-url pattern="/**" access="isAuthenticated()" />
        <security:intercept-url pattern="/**" access="denyAll" />
        <security:form-login login-page="/login" authentication-failure-url="/login?error=true" />
        <security:logout logout-success-url="/" />
        <security:remember-me key="offersAppKey" user-service-ref="jdbcUserService" />
    </security:http>
    <security:global-method-security secured-annotations="enabled" />
    <!-- <bean id="passwordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" /> -->
</beans>

和下面的线在的web.xml 文件：

<filter>
    <display-name>springSecurityFilterChain</display-name>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

我通过Maven的使用Tomcat 8.0和最新的依赖关系。

I am using Tomcat 8.0 and all the latest dependencies via Maven.

推荐答案

这是怎么春季安全工作在默认情况下。

This is how spring-security works by default.

从文档：

需要注意的是谁是匿名认证用户和未认证用户之间没有真正概念上的差异。 Spring Security的匿名认证只是给您配置的访问控制属性更方便的方法。调用Servlet API的调用，如 getCallerPrincipal ，例如，仍然会返回null，即使实际上没有在 SecurityContextHolder中。

Note that there is no real conceptual difference between a user who is "anonymously authenticated" and an unauthenticated user. Spring Security’s anonymous authentication just gives you a more convenient way to configure your access-control attributes. Calls to servlet API calls such as getCallerPrincipal, for example, will still return null even though there is actually an anonymous authentication object in the SecurityContextHolder.

有其他情况下匿名身份验证是非常有用的，当一个审计拦截器查询，如 SecurityContextHolder中来确定哪些主要负责给定的操作。类可以，如果他们知道 SecurityContextHolder中总是包含验证对象，永远不能为null更加稳健着。

There are other situations where anonymous authentication is useful, such as when an auditing interceptor queries the SecurityContextHolder to identify which principal was responsible for a given operation. Classes can be authored more robustly if they know the SecurityContextHolder always contains an Authentication object, and never null.

如果你需要检查它是否是一个 anonymousUser ，那么你可以检查验证对象是否为 AnonymousAuthenticationToken 实例与否。

If you need to check if it is an anonymousUser then you can check whether Authentication object is AnonymousAuthenticationToken instance or not.

这篇关于为什么“anonymousUser”Spring Security的认证？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！