围绕使用Java Config进行Spring Security匿名访问的困惑 [英] Confusion around Spring Security anonymous access using Java Config
问题描述
我在Spring Security中使用以下Java Config:
I am using the following Java Config with Spring Security:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic();
}
根据此配置,所有请求都经过身份验证。当您在未经过身份验证的情况下点击控制器时, AnonymousAuthenticationFilter 将为您创建一个Authentication对象,其中 username = anonymousUser,role = ROLE_ANONYMOUS 。
Based on this configuration, all requests are authenticated. When you hit a controller without being authenticated, the AnonymousAuthenticationFilter will create an Authentication object for you with username=anonymousUser, role=ROLE_ANONYMOUS.
我试图提供对特定控制器方法的匿名访问,并尝试使用以下各项:
I am trying to provide anonymous access to a a specific controller method and have tried to use each of the following:
-
@Secured(ROLE_ANONYMOUS) -
@安全(IS_AUTHENTICATED_ANONYMOUSLY)
@Secured("ROLE_ANONYMOUS")@Secured("IS_AUTHENTICATED_ANONYMOUSLY")
调用控制器方法时,会给出以下响应:
HTTP状态401 - 访问此资源需要完全身份验证
When the controller methods get invoked, the following response is given: "HTTP Status 401 - Full authentication is required to access this resource"
有人可以帮助我理解我们收到此消息的原因以及原因 ROLE_ANONYMOUS / IS_AUTHENTICATED_ANONYMOUSLY 似乎无法使用此配置?
Can someone help me understand why we are receiving this message and why ROLE_ANONYMOUS/IS_AUTHENTICATED_ANONYMOUSLY don't seem to work using this configuration?
谢谢,
JP
Thanks,
JP
推荐答案
您的安全配置是bl ocking所有未经身份验证的请求。
你应该允许访问控制器
Your security configuration is blocking all unauthenticated requests. You should allow access to the controller with
.antMatchers("/mycontroller").permitAll()
参见:
- http://spring.io/blog/2013/07/03/spring-security-java-config-preview-web-security/
这篇关于围绕使用Java Config进行Spring Security匿名访问的困惑的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
