Spring Security permitAll（）不允许匿名访问 [英] Spring Security permitAll() not allowing anonymous access

问题描述

我有一个方法，我想允许匿名和经过身份验证的访问。

I have a single method that I want to allow both anonymous and authenticated access to.

我正在使用基于java的配置的Spring Security 3.2.4。

I am using Spring Security 3.2.4 with java based configuration.

重写的配置方法（在我的自定义配置类中扩展WebSecurityConfigurerAdapter）具有以下http块：

The overridden configure method (in my custom configuration class extending WebSecurityConfigurerAdapter) has the following http block:

    http
        .addFilterBefore(muiltpartFilter, ChannelProcessingFilter.class)
        .addFilterBefore(cf, ChannelProcessingFilter.class)
        .authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
        .authorizeRequests()
            .antMatchers("/ping**")
            .permitAll()
            .and()
        .formLogin()
            .loginPage("/login")
            .permitAll()
            .and()
        .logout()
            .logoutUrl("/logout")
        .logoutSuccessUrl("/login");

ping请求处理程序和方法位于一个控制器中，该控制器也包含登录处理程序，它没有独立@PreAuthorize或其他注释可能导致的问题。

The ping request handler and method is in a controller that also contains the login handler, and it has no separate @PreAuthorize or other annotations that might cause the issue.

问题是，匿名访问被拒绝，并且用户被重定向到登录页面。

The problem is that anonymous access is denied and the user is redirected to the login page.

在调试级别登录，我看到Spring Security的以下反馈：

Logging at the debug level, I see the following feedback from Spring Security:

[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Secure object: FilterInvocation: URL: /ping; Attributes: [authenticated]
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faad796: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffa64e: RemoteIpAddress: 192.168.2.128; SessionId: 0EF6B13BBA5F00C020FF9C35A6E3FBA9; Granted Authorities: ROLE_ANONYMOUS
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.access.vote.AffirmativeBased] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@123f2882, returned: -1
[2014-07-11 13:18:04,483] [DEBUG] [org.springframework.security.web.access.ExceptionTranslationFilter] Access is denied (user is anonymous); redirecting to authentication entry point

我要完成的是要有一个可以调用的方法在任何点处并且将发送应答指示请求是否是内部的登录会话。

What I'm trying to accomplish is to have a method that can be called at any point and which will send a reply indicating whether or not the request is inside a logged-in session.

推荐答案

在许可顺序很重要，当我配置它像这样它的工作原理：

The permission order is important, it works when I configure it like this:

.authorizeRequests()
        .antMatchers("/ping**")
        .permitAll()
        .and()
.authorizeRequests()
        .anyRequest()
        .authenticated()
        .and()

这篇关于Spring Security permitAll（）不允许匿名访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！