当默认拒绝默认时,Spring Security ROLE_ANONYMOUS不起作用 [英] Spring Security ROLE_ANONYMOUS does not work when deny-by-default is activated
问题描述
我启用了默认的deny-by-default功能。有了这个,我想在一些控制器上提供匿名访问。为此,我启用了匿名身份验证。
I had enabled deny-by-default feature of security. With this I want to provide anonymous access on some controllers. For that I had enabled Anonymous authentication.
如果我使用 antmacher.permitAll()
工作正常。
但是如果我使用 @PreAuthorize(value =hasRole('ROLE_ANONYMOUS'))
带控制器对我不起作用。
If I use antmacher.permitAll()
works fine.
But if I am using @PreAuthorize(value="hasRole('ROLE_ANONYMOUS')")
with controllers does not work for me.
{
"timeStamp": 1488692168652,
"success": false,
"message": "Full authentication is required to access this resource",
"class": "org.springframework.security.authentication.InsufficientAuthenticationException"
}
Spring安全配置:
Spring security Configuration:
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.csrf().disable();
httpSecurity.httpBasic().disable();
// enable anonymous access
httpSecurity.anonymous();
httpSecurity.authorizeRequests()
//.antMatchers("/").permitAll()
.anyRequest().authenticated();
httpSecurity.addFilterAt(jsonAuthenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
// Call our errorHandler if authentication/authorization fails
httpSecurity.exceptionHandling().authenticationEntryPoint(new JwtAuthenticationEntryPoint());
httpSecurity.exceptionHandling().accessDeniedHandler(new JwtAccessDeniedHandler());
// don't create session
httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// Custom JWT based security filter
httpSecurity.addFilterAfter(jwtAuthenticationTokenFilterBean(), RememberMeAuthenticationFilter.class);
// disable page caching
httpSecurity.headers().cacheControl().disable();
}
控制器:
@RestController
@PreAuthorize(value="hasRole('ROLE_ANONYMOUS')")
public class HomeController {
@RequestMapping("/")
String execute() {
return "hello";
}
}
推荐答案
使用 @PreAuthorize(value =hasRole('ROLE_ANONYMOUS'))
和 anyRequest()。authenticated()
,
您已将安全链配置为对所有请求进行身份验证,这会在到达控制器之前捕获匿名请求并拒绝它。
When using @PreAuthorize(value="hasRole('ROLE_ANONYMOUS')")
and anyRequest().authenticated()
,
you have configured your security chain to authenticate all requests, this catches the anonymous request and rejects it, before it gets to the controller.
您可以配置使用 antMatchers(/)。permitAll()
或 antMatchers(/)。anonymous()
传递通过安全过滤器链。
Either you can configure using antMatchers("/").permitAll()
or antMatchers("/").anonymous()
to pass through the security filter chain.
这篇关于当默认拒绝默认时,Spring Security ROLE_ANONYMOUS不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!