Question

我试图通过为它创建单独的路径来取消某些路径：

<security:http pattern="/rest/**" security="none" />

但是当我尝试访问匹配此模式的URL时，例如

my-host:8080/my-context-root/rest/users

我收到500响应，但有例外：

HTTP状态500 - 请求处理失败;嵌套异常是 org.springframework.security.authentication.AuthenticationCredentialsNotFoundException：在SecurityContext
中找不到Authentication对象

这就是问题所在。为什么我收到这个？为什么不安全的模式，应该完全禁用所有过滤器和安全功能，等待一些凭据？

我不确定是否应该提供完整的.xml配置文件，但是如果重要的话我可以。

更新我的配置

过滤器和servlet映射：

<filter>
    <filter-name>encoding-filter</filter-name>
    <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
    <init-param>
        <param-name>encoding</param-name>
        <param-value>UTF-8</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>encoding-filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<servlet>
    <servlet-name>dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            classpath:spring-db.xml
            classpath:spring-service.xml
            classpath:spring-service-security.xml
            classpath:spring-web-security.xml
            classpath:spring-web-dispatcher.xml
        </param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>dispatcher</servlet-name>
    <url-pattern>*.html</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>dispatcher</servlet-name>
    <url-pattern>/rest/*</url-pattern>
</servlet-mapping>


<!-- welcome file -->
<welcome-file-list>
    <welcome-file>redirect.jsp</welcome-file>
</welcome-file-list>

<!-- session config -->
<session-config>
    <session-timeout>15</session-timeout>
</session-config>

和安全

spring-service-security.xml
    <security:global-method-security
        secured-annotations="enabled" />

    <bean id="authenticationFilter"
        class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
        p:authenticationManager-ref="customAuthenticationManager" />

    <bean id="customAuthenticationManager" class="org.unidevteam.userstory.service.impl.AuthServiceImpl" />

    <bean id="passwordEncoder"
        class="org.springframework.security.crypto.password.StandardPasswordEncoder" />

    <security:authentication-manager />

和spring-web-security.xml

<security:http pattern="/rest/**" security="none" />

    <bean id="authenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
        p:loginFormUrl="/login.html" />

    <security:http auto-config="true" use-expressions="true"
        entry-point-ref="authenticationEntryPoint" access-denied-page="/login.html"
        authentication-manager-ref="customAuthenticationManager">
        <security:intercept-url pattern="/login.html"
            access="permitAll" />
        <security:intercept-url pattern="/home.html"
            access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
        <security:intercept-url pattern="/users.html"
            access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
        <security:intercept-url pattern="/rmuser.html"
            access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
        <security:intercept-url pattern="/user.html"
            access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
        <security:intercept-url pattern="/notifications.html"
            access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
        <security:intercept-url pattern="/locations.html"
            access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
        <security:intercept-url pattern="/rmlocation.html"
            access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
        <security:intercept-url pattern="/location.html"
            access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
        <security:intercept-url pattern="/events.html"
            access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
        <security:logout invalidate-session="true"
            logout-success-url="/logout.html" />
    </security:http>

    <bean id="authenticationFilter"
        class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
        p:authenticationManager-ref="customAuthenticationManager" />

澄清一下，我想做什么...... 有一个第三方旧的mvc应用程序代码，现在我需要为它实现rest api。所以我决定它将在/ rest / path下可用。我计划稍后添加一些特殊的安全性（可能是基于令牌的身份验证），但最初我决定完全取消对该路径的保护以进行调试和测试。

Answer 1

我从未在servletdispatcher应用程序容器中放入与安全相关的配置。 Spring安全性基于过滤器，过滤器在servlet上下文级别声明，与根应用程序上下文一样。

出于这个原因，我建议您将所有spring安全配置放在根应用程序上下文中 - 正如参考手册中给出的所有示例所做的那样。根应用程序上下文通常由Spring ContextLoaderListener加载：

<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/daoContext.xml /WEB-INF/applicationContext.xml</param-value>
</context-param>

<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

Spring Security：<security =“none”>路径不可用</security =“none”>

1 个答案: