例外:在SecurityContex中找不到Authentication对象

时间:2012-08-09 04:03:23

标签: spring security

最近我使用spring security来控制方法的访问权限。访问页面可以触发身份验证方法(在@PreAuthorize中指定)以确定用户是否具有预留权。

但我正在使用Spring预定作业(使用@Scheduled的方法),这意味着该方法在没有会话上下文的情况下自动运行。如果该方法使用@PreAuthorize调用某个函数,则无法通过身份验证。它不会给出“真实”或“假”来判断访问是被接受还是被拒绝。它给出了以下例外。这很烦人!

=============================================== ===================================

org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:325)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:196)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy40.refreshGlobalCacheStrategyMetrics(Unknown Source)
at org.sly.main.server.service.system.scheduling.MaintenanceServiceImpl.runRecreateStrategyMetricsCache(MaintenanceServiceImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:318)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.interceptor.AsyncExecutionInterceptor$1.call(AsyncExecutionInterceptor.java:80)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at java.lang.Thread.run(Thread.java:662)

=============================================== ===================================

我搜索了许多页面试图找出答案,但我无法找到最终解决方案。

springsource.org中的一个页面显示了问题:

http://static.springsource.org/spring-security/site/faq.html#auth-exception-credentials-not-found

  

1.5。我收到一条消息“在SecurityContext中找不到身份验证对象”的异常。怎么了?

     

这是第一次出现的另一个调试级别消息   匿名用户尝试访问受保护的资源,但是当您   您的过滤器链中没有AnonymousAuthenticationFilter   配置。

     

DEBUG [ExceptionTranslationFilter] - 身份验证例外   发生了;重定向到认证入口点
  org.springframework.security.AuthenticationCredentialsNotFoundException:   在SecurityContext中找不到Authentication对象   org.springframework.security.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:342)   在   org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254)

我找到另一个页面来描述如何配置AnonymousAuthenticationFilter http://static.springsource.org/spring-security/site/docs/3.0.x/reference/anonymous.html

它说配置应该是:

<bean id="anonymousAuthFilter"
    class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
  <property name="key" value="foobar"/>
  <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>

<bean id="anonymousAuthenticationProvider"
    class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
  <property name="key" value="foobar"/>
</bean>

所以我在我的application-security.xml中配置它,但它没有任何区别。

<beans:bean id="springSecurityFilterChain"
    class="org.springframework.security.web.FilterChainProxy">
    <security:filter-chain-map path-type="ant">
        <security:filter-chain pattern="/**"
            filters="anonymousAuthFilter" />
    </security:filter-chain-map>
</beans:bean>
<!-- ///////////////////////////////////////// -->
<!-- ////for AnonymousAuthenticationFilter//// -->
<!-- ///////////////////////////////////////// -->
<beans:bean id="anonymousAuthFilter"
    class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
    <beans:property name="key" value="foobar" />
    <beans:property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS" />
</beans:bean>

<beans:bean id="anonymousAuthenticationProvider"
    class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
    <beans:property name="key" value="foobar" />
</beans:bean>

有人精通春季安全吗?

1 个答案:

答案 0 :(得分:0)

从异常和您的配置中我发现没有身份验证过程。这对于任何访问安全资源都是必要的。因此,您应该被重定向到entryPoint页面
根据您的过滤器配置,我看不到其他过滤器,这很奇怪。您使用名称空间还是过滤器链?如果后者为真,则添加其他过滤器。您可能需要查看this以找出您的任务所需的过滤器。