如何在匿名页面

时间:2016-07-19 19:53:32

标签: spring spring-mvc authentication spring-security cas

我有一个基于Spring 3.2的大型应用程序,它使用带有CAS身份验证策略的Spring Security。我所拥有的大多数页面都没有任何身份验证要求,但是,如果用户已登录,我想在菜单栏中显示他们的用户名和指向其页面的链接。

这似乎是一个问题 - Spring Security有一个“身份验证页面”的概念,我可以在其中调用

Authentication authentication =
  SecurityContextHolder.getContext().getAuthentication();
CustomUser custom = (CustomUser) authentication == null ? null : authentication.getPrincipal();

我找回CustomUser对象没问题。但是,即使用户已经过身份验证并且有会话,如果我在匿名/未经身份验证的页面上调用此代码,我只会回到匿名用户。

这在Spring Security中是否可行?感觉它应该存在但是没有我能找到的例子或者在S / O上回答问题。

这是配置的一部分,有一些小的修改。

<security:http use-expressions="true" entry-point-ref="casEntryPoint" >
    <security:intercept-url pattern="/" access="permitAll"/>

    <security:intercept-url pattern="/reviews/my" method="GET" access="isAuthenticated() and hasRole('ROLE_USER')"  />

    <!-- editing a review -->
    <security:intercept-url pattern="/reviews/places/review/*" method="GET" access="permitAll"  />
    <security:intercept-url pattern="/reviews/places/review/*" method="POST" access="isAuthenticated() and hasRole('ROLE_USER')"  />
    <!-- editing a comment -->
    <security:intercept-url pattern="/reviews/review/editcomment" method="GET" access="permitAll"  />
    <security:intercept-url pattern="/reviews/review/editcomment" method="POST" access="isAuthenticated() and hasRole('ROLE_USER')"  />

    <security:intercept-url pattern="/reviews/unsubscribe" access="permitAll"  />

    <security:intercept-url pattern="/reviews/reportReview" access="permitAll"  />

    <security:intercept-url pattern="/reviews/**" method="POST" access="isAuthenticated() and hasRole('ROLE_USER')"  />
    <security:intercept-url pattern="/reviews/settings"  access="isAuthenticated() and hasRole('ROLE_USER')"  />

    <security:intercept-url pattern="/reviews/review/deletecomment" method="POST" access="isAuthenticated() and hasRole('ROLE_USER')"  />
    <security:intercept-url pattern="/reviews/user/checkLogin" method="GET" access="isAuthenticated() and hasRole('ROLE_USER')"  />

    <security:intercept-url pattern="/**" access="permitAll" />
    <security:custom-filter before="LOGOUT_FILTER" ref="requestSingleLogoutFilter" />
    <security:custom-filter before="CAS_FILTER" ref="singleLogoutFilter" />
    <security:custom-filter position="CAS_FILTER" ref="casAuthenticationFilter"  />
    <security:custom-filter after="EXCEPTION_TRANSLATION_FILTER" ref="ajaxTimeoutRedirectFilter"  />

    <security:logout logout-success-url="/reviews/" delete-cookies="USERINFO" />

</security:http>


<bean id="ajaxTimeoutRedirectFilter" class="com.company.responder.frontend.filter.AjaxTimeoutRedirectFilter">
    <property name="customSessionExpiredErrorCode" value="401"/>
</bean>
<!-- handle single logout requests from CAS -->
<bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/>

<!-- This filter redirects to the CAS Server to signal Single Logout should be performed -->
<!--class="org.springframework.security.web.authentication.logout.LogoutFilter">-->
<!--class="com.company.responder.auth.CookieHandlingLogoutFilter">-->
<bean id="requestSingleLogoutFilter"
      class="org.springframework.security.web.authentication.logout.LogoutFilter">

    <constructor-arg value="${security.cas.logoutUrl}"/>
    <constructor-arg>
        <list>
        <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
        </list>
    </constructor-arg>

    <property name="filterProcessesUrl" value="/user/logout"/>
</bean>


<!-- Gateway Authentication Filter Bean -->
<bean id="casGatewayFilter"
      class="org.jasig.cas.client.authentication.AuthenticationFilter">
    <property name="casServerLoginUrl" value="${security.cas.loginUrl}"/>
    <property name="gateway" value="true"/>
    <property name="renew" value="false"/>
    <property name="serverName" value="${security.cas.clientUrl}"/>
</bean>




<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
    <property name="service" value="${security.cas.serviceUrl}" />
    <property name="sendRenew" value="false" />
</bean>

<bean id="casAuthenticationFilter"
      class="org.springframework.security.cas.web.CasAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="authenticationSuccessHandler">
        <bean class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
            <property name="redirectStrategy" ref="redirectStrategy"/>
        </bean>
    </property>
</bean>

<bean id="redirectStrategy" class="com.company.responder.auth.RegistrationAwareRedirectStrategy">
    <property name="flashMapManager" ref="flashMapManager"/>
</bean>


<bean name="flashMapManager" class="org.springframework.web.servlet.support.SessionFlashMapManager"/>

<bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
    <property name="loginUrl" value="${security.cas.loginUrl}" />
    <property name="serviceProperties" ref="serviceProperties" />

</bean>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>



<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
    <property name="authenticationUserDetailsService" ref="authenticationUserDetailsService"/>


    <property name="serviceProperties" ref="serviceProperties" />
    <property name="ticketValidator">
        <bean id="cas20TicketValidator" class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
            <constructor-arg index="0" value="${security.cas.baseUrl}" />
        </bean>
    </property>
    <property name="key" value="CompanyCasAuthenticationProvider" />
</bean>

<bean id="authenticationUserDetailsService" class="com.company.responder.auth.ResponderUserDetailsService"/>

1 个答案:

答案 0 :(得分:0)

制作这样的东西时我通常会使用安全标记库以这种方式控制访问者是否记录在jsp视图中:

    <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
    <html>

    <div>Starting authorized block --------------------</div>
        <sec:authorize access="isAuthenticated()">
            <b>Username:<sec:authentication property="principal.username" /></b>
            <br/>
<b>User profile:</b> <a href="/profiles/<sec:authentication property="principal.username" />">Profile</a>
<br/>
            <sec:authorize access="hasRole('ROLE_XXXX')">
            <i>This content will only be visible to users who have
            the requested "ROLE_XXXX" authority in their list of <tt>GrantedAuthority</tt>s.</i>
            </sec:authorize>
            <br/>
        </sec:authorize>
        <div>end of authorized block --------------------</div>


        <div>Starting anonymous block --------------------</div>
        <sec:authorize access="isAnonymous()">
            <b>The user is anonymous</b>
        </sec:authorize>
        <div>end of anonymous block --------------------</div>
...
相关问题
最新问题