我希望我的服务仅针对传入的POST / PUT / DELETE请求执行身份验证,并绕过任何GET请求。 Spring版本低于3.1,具有'filters =“none”'属性,可用于绕过特定URL模式的所有安全过滤器。在3.1中,'filters =“none”'已被弃用,而替代解决方案是对“http”元素使用'security =“none”'属性。这不支持基于进入的请求类型(GET / PUT / POST / DELETE)的配置。
我使用的是Spring 3.1.1,当前配置如下:
<!-- Just un-comment any resource if you don't want authentication to be done on them -->
<http pattern="/base/version" security="none"/>
<!-- Secure resources -->
<http create-session='stateless' entry-point-ref="tokenAuthenticationEntryPoint">
<custom-filter position="PRE_AUTH_FILTER" ref="tokenAuthenticationFilter" />
<intercept-url pattern="/v1/abc/**" method="GET" filters="none"/> //This doesn’t work currently
<intercept-url pattern="/v1/abc/**" method="POST" access="ROLE_USER"/>
<intercept-url pattern="/v1/abc/**" method="PUT" access="ROLE_USER"/>
<intercept-url pattern="/v1/abc/**" method="DELETE" access="ROLE_USER"/>
<intercept-url pattern="/**" access="ROLE_USER" />
</http>
如何在Spring 3.1中绕过pattern =“/ v1 / abc / **”method =“GET”的安全过滤器?
答案 0 :(得分:2)
我找到了解决问题的方法 - 使用基于表达式的访问控制,我使用access =“permitAll”来配置授权而不禁用过滤器。
<!-- Just un-comment any resource if you don't want authentication to be done on them -->
<http pattern="/base/version" security="none"/>
<!-- Secure resources -->
<http create-session='stateless' entry-point-ref="tokenAuthenticationEntryPoint" use- expressions="true">
<custom-filter position="PRE_AUTH_FILTER" ref="tokenAuthenticationFilter" />
<intercept-url pattern="/v1/abc/**" method="GET" access="permitAll"/>
<intercept-url pattern="/v1/abc/**" method="POST" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/v1/abc/**" method="PUT" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/v1/abc/**" method="DELETE" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
</http>