Spring Security匿名用户可以访问每个URL [英] Spring Security anonymous user has acces to every url

问题描述

我正在开发gwt应用程序，我希望使用spring-security来保护它。我在数据库中有用户数据，UserService负责获取特定用户。我已按照教程

I'm developing gwt application which I want to secure using spring-security. I have users data in database and UserService is responsible for getting particular User. I have followed this tutorial

AuthenticationProvider：

AuthenticationProvider:

public class CustomAuthenticationProvider implements AuthenticationProvider {

    @Autowired UserService userService;

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String username = (String) authentication.getPrincipal();
        String password = (String) authentication.getCredentials();

        User user = userService.findByUserName(username);
        if (user == null) {
            throw new UsernameNotFoundException("User not found");
        }
        String storedPass = user.getPassword();
        if (!storedPass.equals(password)) {
            throw new BadCredentialsException("Invalid password");
        }
        Authentication customAuthentication = new CustomUserAuthentication(user, authentication);
        customAuthentication.setAuthenticated(true);

        return customAuthentication;
    }

   @Override
   public boolean supports(Class<?> authentication) {
      return     UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
   }
}

CustomAuthentication

CustomAuthentication

    public class CustomUserAuthentication implements Authentication {

        private static final long serialVersionUID = -3091441742758356129L;

        private boolean authenticated;

        private final GrantedAuthority grantedAuthority;
        private final Authentication authentication;
        private final User user;

        public CustomUserAuthentication(User user, Authentication authentication) {
            this.grantedAuthority = new SimpleGrantedAuthority(user.getRole().name());
            this.authentication = authentication;
            this.user = user;
        }

        @Override
        public Collection<GrantedAuthority> getAuthorities() {
            Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
            authorities.add(grantedAuthority);
            return authorities;
        }

        @Override
        public Object getCredentials() {
            return authentication.getCredentials();
        }

        @Override
        public Object getDetails() {
            return authentication.getDetails();
        }

        @Override
        public Object getPrincipal() {
            return user;
        }

        @Override
        public boolean isAuthenticated() {
            return authenticated;
        }

        @Override
        public void setAuthenticated(boolean authenticated) throws IllegalArgumentException {
            this.authenticated = authenticated;
        }

        @Override
        public String getName() {
            return user.getUsername();
        }

    }  

安全背景：

<s:http auto-config="true" create-session="always" >
    <s:intercept-url pattern="/index.html" access="ROLE_USER" />
    <s:logout logout-success-url="/login.html"/>
    <s:form-login login-page="/login.html" default-target-url="/index.html" authentication-failure-url="/login.html" />
</s:http>

<s:authentication-manager alias="authenticationManager">
    <s:authentication-provider ref="customAuthenticationProvider" />
</s:authentication-manager>

<bean id="customAuthenticationProvider" class="com.example.server.security.CustomAuthenticationProvider" />

一切正常，弹簧拦截调用index.html我需要登录并将其重定向回到index.html的。问题是当我退出然后再次转到index.html时，我只是简单地访问它。我发现：

Everything works fine, spring intercept call to index.html i need to log and it redirects me back to index.html. The problem is when i log out and then go to index.html once again I just simply get access to it. I figured out that:

    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    System.out.println("Logged as: " + auth.getName()); 

在注销后打印anonymousUser。当我再次登录时，此代码打印我的用户名，因此我认为拦截匿名用户有问题。有谁知道如何拦截匿名用户？

prints anonymousUser after logout. This code prints my user name when I log in again so I suppose that there is something wrong with intercepting anonymous user. Does anyone knows how to intercept anonymous user?

推荐答案

而不是：

 <s:intercept-url pattern="/**" access="ROLE_USER" />

您可以使用：

<s:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY,ROLE_USER" />

这应该使Spring Security拒绝访问匿名用户。当然，这意味着你还需要添加其中一个：

That should make Spring Security deny access to the anonymous user. Of course, that implies you also need to add one of these:

<s:intercept-url pattern="/url_that_should_be_accessible_to_anonymous_user" access="IS_AUTHENTICATED_ANONYMOUSLY" />

对于匿名用户应该能够访问的每个模式。通常，登录页面，错误页面，静态资源（图像，PDF等）。

For every pattern that anonymous users should be able to access. Typically, login pages, error pages, static resources (images, PDF, etc).

这篇关于Spring Security匿名用户可以访问每个URL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！