我使用Spring Security进行用户身份验证,但当用户未登录时,SecurityContext为null。
在我的 web.xml 中,我有:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
在 security.xml 我有
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:http="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- Static resources such as CSS and JS files are ignored by Spring Security -->
<security:http pattern="/resources/**" security="none" />
<security:http use-expressions="true">
<!-- Enables Spring Security CSRF protection -->
<security:csrf/>
<!-- Configures the form login -->
<security:form-login
login-page="/login"
login-processing-url="/login/authenticate"
authentication-failure-url="/login?error=bad_credentials"
username-parameter="username"
password-parameter="password"/>
<!-- Configures the logout function -->
<security:logout
logout-url="/logout"
logout-success-url="/home"
delete-cookies="JESSIONID"/>
<security:intercept-url pattern="/**" method="GET" access="permitAll"/>
<security:intercept-url pattern="/user/register" method="POST" access="permitAll"/>
<!-- These operations are protected. -->
<security:intercept-url pattern="/product/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
<security:access-denied-handler error-page="/login"/>
<!-- Adds social authentication filter to the Spring Security filter chain. -->
<security:custom-filter ref="socialAuthenticationFilter" before="PRE_AUTH_FILTER" />
</security:http>
......其他配置......
我得到null的代码是:
HttpSession session = request.getSession(true);
SecurityContext securityContext =(SecurityContext) session.getAttribute("SPRING_SECURITY_CONTEXT");
Authentication authentication = securityContext.getAuthentication();
user = (Object) authentication.getPrincipal();
但是当没有用户登录时,我得到null securityContext 。我做错了的任何帮助
答案 0 :(得分:1)
来自http://docs.spring.io/spring-security/site/docs/3.0.x/reference/anonymous.html:
...请注意,“匿名身份验证”的用户与未经身份验证的用户之间没有真正的概念差异。 Spring Security的匿名身份验证只是为您提供了一种更方便的方式来配置访问控制属性。例如,调用servlet API调用(例如 getCallerPrincipal)仍会返回null ,即使SecurityContextHolder中实际存在匿名身份验证对象。
在其他情况下,匿名身份验证很有用,例如审计拦截器查询SecurityContextHolder以确定哪个主体负责给定操作。 如果类知道SecurityContextHolder始终包含Authentication对象,则可以更健壮地编写类,并且永远不会为null。
这样的设置(也来自引用页面):
<bean id="anonymousAuthFilter"
class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
<property name="key" value="foobar"/>
<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>
<bean id="anonymousAuthenticationProvider"
class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
<property name="key" value="foobar"/>
</bean>
..并从以下位置调整security.xml条目:
permitAll
..为:
ROLE_ANONYMOUS
应该始终为您提供Securitycontext
/ Authentication
对象(但不一定是&#34; Principal&#34;)。