我有url pattern / checkout / single的控制器。我已经对此控制器进行了身份验证登录。在此控制器内部,还有一种方法需要为匿名用户提供。假设方法请求映射是/ test,有人可以为我提供适当的spring-security-config.xml配置。 这是完整的配置 -
<security:http disable-url-rewriting="true" pattern="/checkout/**" use-expressions="true">
<security:session-management session-authentication-strategy-ref="fixation" />
<security:intercept-url pattern="/checkout/single/test" access="permitAll" requires-channel="any"/>
<!-- SSL / AUTHENTICATED pages -->
<security:intercept-url pattern="/checkout/j_spring_security_check" requires-channel="https" />
<security:intercept-url pattern="/checkout*" access="hasRole('ROLE_CUSTOMERGROUP')" requires-channel="https" />
<security:intercept-url pattern="/checkout/**" access="hasRole('ROLE_CUSTOMERGROUP')" requires-channel="https" />
<security:form-login login-processing-url="/checkout/j_spring_security_check" login-page="/login/checkout" authentication-failure-handler-ref="loginCheckoutAuthenticationFailureHandler" authentication-success-handler-ref="loginCheckoutGuidAuthenticationSuccessHandler" />
<security:logout logout-url="/logout" success-handler-ref="logoutSuccessHandler" delete-cookies="JSESSIONID" />
<security:port-mappings>
<security:port-mapping http="#{configurationService.configuration.getProperty('tomcat.http.port')}" https="#{configurationService.configuration.getProperty('tomcat.ssl.port')}" />
<security:port-mapping http="80" https="443" />
</security:port-mappings>
<security:request-cache ref="httpSessionRequestCache" />
</security:http>
答案 0 :(得分:0)
在xml文件中,您需要在第一行中为匿名用户编写拦截网址。 Spring安全将首先检查这一行。然后此方法将可用于匿名,但其他方法将需要登录,即使它们位于同一个控制器中。
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/checkout/single/anotherMethod" access="hasRole('ROLE_ANONYMOUS')"/>
<intercept-url pattern="/checkout/single" access="hasRole('ROLE_USER')" />