Question

我们有以下spring安全配置：

<bean id="authenticationSuccessHandler" class="***.JsonAuthenticationSuccessHandler"/>

    <bean id="logoutSuccessHandler" class="***.web.security.***UrlLogoutSuccessHandler">
        <property name="redirectStrategy" ref="noRedirectStrategy"/>
    </bean>

    <bean id="authenticationFailureHandler"
          class="***.web.security.***UrlAuthenticationFailureHandler"/>

    <bean id="httpStatusEntryPoint" class="org.springframework.security.web.authentication.HttpStatusEntryPoint">
        <constructor-arg value="UNAUTHORIZED"/>
    </bean>

    <security:http auto-config="true" use-expressions="false" entry-point-ref="httpStatusEntryPoint">
        <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrentSessionFilter"/>

        <security:form-login
                authentication-success-handler-ref="authenticationSuccessHandler"
                authentication-failure-handler-ref="authenticationFailureHandler"
                />

        <security:intercept-url pattern="/api/**"/>
        <security:anonymous enabled="false"/>
        <security:logout logout-url="/logout" delete-cookies="JSESSIONID,sessionId"
                         success-handler-ref="logoutSuccessHandler"
                />
        <security:csrf disabled="true"/>

        <security:session-management session-authentication-strategy-ref="sessionAuthenticationStrategy"/>
    </security:http>

    <bean id="concurrentSessionFilter" class="***.***ConcurrentSessionFilter">
        <constructor-arg ref="***SessionRegistry"/>
        <constructor-arg ref="errorController"/>
    </bean>

    <bean id="sessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
        <constructor-arg>
            <list>
                <ref bean="registerSessionAuthenticationStrategy"/>
                <ref bean="concurrentSessionControlAuthenticationStrategy"/>
            </list>
        </constructor-arg>
    </bean>

    <bean id="registerSessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
        <constructor-arg name="sessionRegistry" ref="***SessionRegistry" />
    </bean>

    <bean id="concurrentSessionControlAuthenticationStrategy" class="***.web.security.***ConcurrentSessionControlAuthenticationStrategy">
        <constructor-arg name="sessionRegistry" ref="***SessionRegistry" />
        <constructor-arg name="logoutService" ref="logoutService"/>
        <property name="maximumSessions" value="1" />
    </bean>

    <!-- enable spring security annotation processing -->
    <security:global-method-security secured-annotations="enabled"/>

    <bean id="***LdapAuthenticationProvider" class="***.web.***LdapAuthProvider">
        <property name="url" value="${ldap.url}"/>
        <property name="filter" value="${ldap.filter}"/>
        <property name="domain" value="${ldap.domain}"/>
        <property name="dn" value="${ldap.dn}"/>
        <property name="ldapEnabled" value="${ldap.enable}"/>
    </bean>

    <security:authentication-manager>
        <security:authentication-provider ref="***LdapAuthenticationProvider"/>
        <security:authentication-provider user-service-ref="***UserDetailsService"/>
    </security:authentication-manager>

    <bean id="usersResource" class="org.springframework.core.io.ClassPathResource">
        <constructor-arg value="/users.properties" />
    </bean>

    <util:property-path id="usersResourceFile" path="usersResource.file" />

    <bean id="***UserDetailsService" class="***.web.security.***InMemoryUserDetailsManager">
        <constructor-arg index="0" ref="usersResourceFile"/>
    </bean>

我尝试了不同的方法但是我找不到从身份验证中排除某些特定URL的方法。

例如：

/api/url/available/without/login

即使用户未登录，

也应该可用。

P.S。

我试图应用这个答案，但它对我不起作用：

https://stackoverflow.com/a/5382178/2674303

UPD

我累了

    ....
    <bean id="httpStatusEntryPoint" class="org.springframework.security.web.authentication.HttpStatusEntryPoint">
        <constructor-arg value="UNAUTHORIZED"/>
    </bean>
    <security:http pattern="/api/url/available/without/login" security="none"/>
    <security:http auto-config="true" use-expressions="false" entry-point-ref="httpStatusEntryPoint">
    ....

但是当我尝试使用时 - 这个网址仍然被锁定，我得到了401

因为这段代码：

 SecurityContext securityContext = SecurityContextHolder.getContext();
 Authentication authentication = securityContext.getAuthentication();
 if (authentication == null || !authentication.isAuthenticated()) {
       String name = authentication != null ? authentication.getName() : "";
       throw new BadCredentialsException("Could not find user " + name);
  }

抛出异常

Answer 1

你只需要添加一个＆＃34;默认＆＃34; http拦截器：

<security:http xmlns="http://www.springframework.org/schema/security">
  <intercept-url pattern="/" access="permitAll()"/>
  <anonymous/>
  <csrf disabled="true"/>
</security:http>

在您当前的安全性之后：http标记。它将处理所有请求，这些请求不是由第一个http构造处理的。

未能从Spring Security保护中排除某些URL

P.S。

UPD

1 个答案: