我导出一组使用HTTP BASIC保护的REST Web服务。我的弹簧配置过去运行良好,但我最近发现它根本不起作用,因为它提供了访问某些Web服务而无需提供任何用户/密码。查看日志我可以看到以下内容:
2015-04-10 16:26:58,811 DEBUG FilterChainProxy: 337 - /statefull/f/search/hostname/DESKTOP-OMAR/deviceId/65536?format=json at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-04-10 16:26:58,811 DEBUG HttpSessionSecurityContextRepository: 140 - No HttpSession currently exists
2015-04-10 16:26:58,812 DEBUG HttpSessionSecurityContextRepository: 91 - No SecurityContext was available from the HttpSession: null. A new one will be created.
2015-04-10 16:26:58,812 DEBUG FilterChainProxy: 337 - /statefull/f/search/hostname/DESKTOP-OMAR/deviceId/65536?format=json at position 2 of 9 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-04-10 16:26:58,812 DEBUG FilterChainProxy: 337 - /statefull/f/search/hostname/DESKTOP-OMAR/deviceId/65536?format=json at position 3 of 9 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2015-04-10 16:26:58,812 DEBUG FilterChainProxy: 337 - /statefull/f/search/hostname/DESKTOP-OMAR/deviceId/65536?format=json at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2015-04-10 16:26:58,812 DEBUG FilterChainProxy: 337 - /statefull/f/search/hostname/DESKTOP-OMAR/deviceId/65536?format=json at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2015-04-10 16:26:58,812 DEBUG FilterChainProxy: 337 - /statefull/f/search/hostname/DESKTOP-OMAR/deviceId/65536?format=json at position 6 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2015-04-10 16:26:58,813 DEBUG AnonymousAuthenticationFilter: 102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2015-04-10 16:26:58,813 DEBUG FilterChainProxy: 337 - /statefull/f/search/hostname/DESKTOP-OMAR/deviceId/65536?format=json at position 7 of 9 in additional filter chain; firing Filter: 'SessionManagementFilter'
2015-04-10 16:26:58,813 DEBUG SessionManagementFilter: 92 - Requested session ID 35A9CBAD338A61BA5D0B7A5D1D821628 is invalid.
2015-04-10 16:26:58,813 DEBUG FilterChainProxy: 337 - /statefull/f/search/hostname/DESKTOP-OMAR/deviceId/65536?format=json at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2015-04-10 16:26:58,813 DEBUG FilterChainProxy: 337 - /statefull/f/search/hostname/DESKTOP-OMAR/deviceId/65536?format=json at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2015-04-10 16:26:58,813 DEBUG FilterSecurityInterceptor: 185 - Public object - authentication not attempted
提供的URL被视为"公共对象"出于某种未知原因。 我的配置如下:
<s:global-method-security
secured-annotations="enabled"
pre-post-annotations="enabled" />
<s:http use-expressions="true" realm="My Webservice" create-session="ifRequired">
<s:http-basic />
<s:intercept-url pattern='/**'/>
</s:http>
有谁看到可能是什么问题?
答案 0 :(得分:1)
您错过了access属性(http://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html)
<intercept-url pattern="/**" access="denyAll" />
我希望春天会抱怨错误的配置,所以可能根本没有考虑配置文件(或者我错了)