Grails 3 REST-API匿名访问被ExceptionTranslationFilter拒绝

时间:2016-04-18 16:00:11

标签: spring rest grails spring-security grails-3.1

我尝试设置对我的API的匿名访问(Grails配置文件" rest-api",用于Grails的Spring Security REST),但ExceptionTranslationFilter似乎使AnonymousAuthenticationFilter无效。任何配置缺失?


if a login method (such as Meteor.loginWithPassword, Meteor.loginWithFacebook, or Accounts.createUser) is currently in progress. A reactive data source.

来自http://alvarosanchez.github.io/grails-spring-security-rest/latest/docs/#_anonymous_access

$ grails -version
| Grails Version: 3.1.5
| Groovy Version: 2.4.6
| JVM Version: 1.8.0_77

请求/响应:

# application.yml
grails:
    profile: rest-api
    codegen:
        defaultPackage: com.company.api
    spring:
        transactionManagement:
            proxies: false
    plugin.springsecurity:
        userLookup.userDomainClassName: 'com.company.api.User'
        userLookup.authorityJoinClassName: 'com.company.api.UserRole'
        authority.className: 'com.company.api.Role'
        rest.token.validation.enableAnonymousAccess: true
        filterChain.chainMap:
          -
            pattern: '/api/guest/**'
            filters: 'anonymousAuthenticationFilter,restTokenValidationFilter,restExceptionTranslationFilter,filterInvocationInterceptor'
          -
            pattern: '/api/**'
            filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
          -
            pattern: '/**'
            filters: 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'

错误日志:

curl -v http://localhost:8080/api/guest/1
* Hostname was NOT found in DNS cache
*   Trying ::1...
* Connected to localhost (::1) port 8080 (#0)
> GET /api/guest/1 HTTP/1.1
> User-Agent: curl/7.38.0
> Host: localhost:8080
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< WWW-Authenticate: Bearer
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Mon, 18 Apr 2016 15:45:59 GMT
< 
* Connection #0 to host localhost left intact
{"timestamp":1460994359612,"status":401,"error":"Unauthorized","message":"No message available","path":"/api/guest/1"}

1 个答案:

答案 0 :(得分:1)

您的配置看起来是正确的。但是,给定以下日志行:

DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /api/guest/1; Attributes: [_DENY_]

您的控制器/操作中似乎缺少@Secured(['permitAll'])注释。该请求未经身份验证,因为没有为其定义安全限制,而不是因为它是匿名的。

相关问题
最新问题