当默认拒绝默认时，Spring Security ROLE_ANONYMOUS不起作用 [英] Spring Security ROLE_ANONYMOUS does not work when deny-by-default is activated

问题描述

我启用了默认的deny-by-default功能。有了这个，我想在一些控制器上提供匿名访问。为此，我启用了匿名身份验证。

I had enabled deny-by-default feature of security. With this I want to provide anonymous access on some controllers. For that I had enabled Anonymous authentication.

如果我使用 antmacher.permitAll（）工作正常。
但是如果我使用 @PreAuthorize（value =hasRole（'ROLE_ANONYMOUS'））带控制器对我不起作用。

If I use antmacher.permitAll() works fine. But if I am using @PreAuthorize(value="hasRole('ROLE_ANONYMOUS')") with controllers does not work for me.

{
  "timeStamp": 1488692168652,
  "success": false,
  "message": "Full authentication is required to access this resource",
  "class": "org.springframework.security.authentication.InsufficientAuthenticationException"
}

Spring安全配置：

Spring security Configuration:

@Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf().disable();
        httpSecurity.httpBasic().disable();

        // enable anonymous access
        httpSecurity.anonymous();

        httpSecurity.authorizeRequests()
        //.antMatchers("/").permitAll()
        .anyRequest().authenticated();

        httpSecurity.addFilterAt(jsonAuthenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
        // Call our errorHandler if authentication/authorization fails
        httpSecurity.exceptionHandling().authenticationEntryPoint(new JwtAuthenticationEntryPoint());
        httpSecurity.exceptionHandling().accessDeniedHandler(new JwtAccessDeniedHandler());

        // don't create session
        httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        // Custom JWT based security filter
        httpSecurity.addFilterAfter(jwtAuthenticationTokenFilterBean(), RememberMeAuthenticationFilter.class);

        // disable page caching
        httpSecurity.headers().cacheControl().disable();
    }

控制器：

@RestController
@PreAuthorize(value="hasRole('ROLE_ANONYMOUS')")
public class HomeController {

    @RequestMapping("/")
    String execute() {
        return "hello";
    }
}

推荐答案

使用 @PreAuthorize（value =hasRole（'ROLE_ANONYMOUS'））和 anyRequest（）。authenticated（），
您已将安全链配置为对所有请求进行身份验证，这会在到达控制器之前捕获匿名请求并拒绝它。

When using @PreAuthorize(value="hasRole('ROLE_ANONYMOUS')") and anyRequest().authenticated(), you have configured your security chain to authenticate all requests, this catches the anonymous request and rejects it, before it gets to the controller.

您可以配置使用 antMatchers（/）。permitAll（）或 antMatchers（/）。anonymous（）传递通过安全过滤器链。

Either you can configure using antMatchers("/").permitAll() or antMatchers("/").anonymous() to pass through the security filter chain.

这篇关于当默认拒绝默认时，Spring Security ROLE_ANONYMOUS不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！