春天安全|授予匿名用户访问权限的问题

时间:2014-03-05 14:06:37

标签: java spring security spring-mvc spring-security

我正在尝试为根据Spring实现的某个REST方法授予访问权限。 [请记住,这是现有的Spring配置应用程序]

我的问题是,如果我没有通过身份验证,我就无法访问此方法。这是我的配置

  

的web.xml 

<servlet>
    <servlet-name>appServlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/app-servlet.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>
  

APP-servlet.xml中

<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->

<!-- Enables the Spring MVC @Controller programming model -->
<annotation-driven />

<context:component-scan base-package="nz.co.schola.sms.web.tech" />

<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />

<!-- Resolves views selected for rendering by @Controllers to .jsp resources in the /WEB-INF/views directory -->
<beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <beans:property name="prefix" value="/WEB-INF/views/" />
    <beans:property name="suffix" value=".jsp" />
</beans:bean>   

<beans:bean class="org.springframework.web.servlet.view.ContentNegotiatingViewResolver">
    <beans:property name="order" value="1" />
    <beans:property name="mediaTypes">
        <beans:map>
            <beans:entry key="json" value="application/json" />
            <beans:entry key="xml" value="application/xml" />               
        </beans:map>
    </beans:property>

    <beans:property name="defaultViews">
        <beans:list>
            <!-- JSON View -->
            <beans:bean class="org.springframework.web.servlet.view.json.MappingJacksonJsonView" />
        </beans:list>
    </beans:property>
</beans:bean>
  

控制器类

@Controller
public class CustomController {

    @RequestMapping(value = "/wos/student/{stid}/school/{scid}", method = RequestMethod.GET)
    public @ResponseBody JsonFormatClass getWeeksOfSchooling(@PathVariable("stid") String stid, @PathVariable("scid") String scid) {

        //some logic

        return new JsonFormatClass();
    }
}

在我的Spring安全应用程序上下文中,我已经明确定义了intercept-url来授予对方法的匿名访问权限

  

的applicationContext-security.xml文件

  <security:http auto-config="false" entry-point-ref="formAuthenticationEntryPoint">
    <!-- Uses a custom form filter to accommodate the userspace -->
    <security:custom-filter position="FORM_LOGIN_FILTER" ref="userspaceAwareFormLoginFilter" /> 
    <security:anonymous />
    <security:logout />

    <!-- Workaround for RichFaces automatically including skinning CSS on login page, even though unused -->
    <security:intercept-url pattern="/a4j/**" access="ROLE_ANONYMOUS,ROLE_USER" />
    <!-- Richfaces skinning also uses images and some additional stylesheets... -->
    <security:intercept-url pattern="/css/**" access="ROLE_ANONYMOUS,ROLE_USER" />
    <security:intercept-url pattern="/errorViewExpired.jsp" access="ROLE_ANONYMOUS,ROLE_USER" />
    <security:intercept-url pattern="/images/**" access="ROLE_ANONYMOUS,ROLE_USER" />
    <security:intercept-url pattern="/js/**" access="ROLE_ANONYMOUS,ROLE_USER" />
    <security:intercept-url pattern="/login.faces" access="ROLE_ANONYMOUS,ROLE_USER" />

    <security:intercept-url pattern="/srStudentPhoto/**" access="ROLE_ANONYMOUS,ROLE_USER" />

    <security:intercept-url pattern="/accountsreceivable/**" access="ROLE_AR" />
    <security:intercept-url pattern="/assessment/**" access="ROLE_PLANNING_ASSESSMENT, ROLE_ASSESS_MAINTENANCE" />
    <security:intercept-url pattern="/assessmentmaintenance/**" access="ROLE_ASSESS_MAINTENANCE" />
    <security:intercept-url pattern="/attendance/attendanceJobSettings.faces" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/attendance/attendanceMaintenance.faces" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/attendance/attendanceSettings.faces" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/attendance/attendanceSurvey.faces" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/attendance/unmarkedRegisters.faces" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/earlynotification/**" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/enrol/**" access="ROLE_ENROL" />
    <security:intercept-url pattern="/enrolment/**" access="ROLE_STUDENTADMIN" />
    <security:intercept-url pattern="/incident/**" access="ROLE_BEHAVIOURAL_MGMT" />
    <security:intercept-url pattern="/rollreturn/**" access="ROLE_ROLL_RETURN" />
    <security:intercept-url pattern="/school/schoolYearSettings.faces" access="ROLE_STUDENTADMIN, ROLE_CUSTOMER_SERVICE" />
    <security:intercept-url pattern="/schooladmin/peopleSearch.faces" access="ROLE_USER_MAINTENANCE, ROLE_USER_ADMIN" />
    <security:intercept-url pattern="/schooladmin/maintainPerson.faces" access="ROLE_USER_MAINTENANCE, ROLE_USER_ADMIN" />
    <security:intercept-url pattern="/schooladmin/maintainPersonRoles.faces" access="ROLE_USER_MAINTENANCE, ROLE_USER_ADMIN" />
    <security:intercept-url pattern="/schooladmin/peopleSearch.faces" access="ROLE_USER_MAINTENANCE, ROLE_USER_ADMIN" />
    <security:intercept-url pattern="/schooladmin/groupList.faces" access="ROLE_USER" />
    <security:intercept-url pattern="/schooladmin/groupMaintenance.faces" access="ROLE_USER" />

    <security:intercept-url pattern="/schooladmin/**" access="ROLE_SCHOOLADMIN" />
    <security:intercept-url pattern="/student/add.faces" access="ROLE_STUDENTADMIN" />
    <!-- Should only be accessible by Teachers, but current model does not allow for this -->
    <security:intercept-url pattern="/student/createLearningObservation.faces" access="ROLE_USER" />
    <security:intercept-url pattern="/utils/**" access="ROLE_UTILITIES" />

    <security:intercept-url pattern="/customerservice/**" access="ROLE_CUSTSVC_SUPER, ROLE_CUSTOMER_SERVICE" />

    <security:intercept-url pattern="/**" access="ROLE_USER" />

    <security:intercept-url pattern="/assessments/**" access="ROLE_ANONYMOUS,ROLE_USER" />
  </security:http>

我可以完美地访问该方法并使用 - 如果我只是认证来获得结果,否则它会将我重定向到登录页面。

http://localhost:8080:/MyOwnApp/assessments/wos/student/45345345/school/345343

那我在这里做错了什么?

感谢。

1 个答案:

答案 0 :(得分:1)

下的控制器没有匹配的拦截网址 
/wos/student/{stid}/school/{scid}

如果我假设/wos是您的servlet的名称,那么您需要/student/**的拦截网址,其访问权限为ROLE_ANONYMOUS

但你只有

<security:intercept-url pattern="/student/add.faces" access="ROLE_STUDENTADMIN" />
<security:intercept-url pattern="/student/createLearningObservation.faces" access="ROLE_USER" />

最终匹配的intercept-url是

<security:intercept-url pattern="/**" access="ROLE_USER" />

因此,您只能通过身份验证访问您的控制器。

相关问题
最新问题