Spring Security allow all requests

时间:2015-10-30 22:30:35

标签: spring spring-security

I need to develop rest application where only base auth. I use java-base configuration and have security class

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("admin").password("123456").roles("ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().denyAll();
    }
}

also I see that security filter was added 

[org.springframework.security.web.DefaultSecurityFilterChain] (ServerService Thread Pool -- 59) Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@5601cb02, org.springframework.security.web.context.SecurityContextPersistenceFilter@3be5386f, org.springframework.security.web.header.HeaderWriterFilter@218c240d, org.springframework.security.web.csrf.CsrfFilter@46b36d4, org.springframework.security.web.authentication.logout.LogoutFilter@d0f92f5, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@23004472, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@57a57f43, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@42b44dda, org.springframework.security.web.session.SessionManagementFilter@3a81a7cd, org.springframework.security.web.access.ExceptionTranslationFilter@53e708c7, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@66a7dab9]

but when I connect to my controller from browser where I have code 

Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String name = auth.getName(); //get logged in username

I have the NPE, because auth is null. But as I understand Spring Security must decline any requests to any my urls before method executions. Can someone tell me where is my mistake?

1 个答案:

答案 0 :(得分:0)

Try with

.authorizeRequests().anyRequest().authenticated()

If the problem persists I think it may be due to the AnonymousAuthenticationFilter that puts an AnonymousToken in the SecurityContextHolder. In this case you need to disable this filter anonymous().disable() or use a RoleVoter.

.authorizeRequests().antMatchers("/*").hasRole("ADMIN")

UPDATE: Just a doubt, are you sure that your app is taking your configuration from your SecurityConfig?. From Spring documentation you have to do this:

public class MvcWebApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {

    @Override
    protected Class<?>[] getRootConfigClasses() {
        return new Class[] { SecurityConfig.class };
    }

    // ... other overrides ...
}

I don't know if @Configuration works in WebSecurityConfigurerAdapter

相关问题
最新问题