Spring Security:在PUT / POST请求中访问当前经过身份验证的用户

时间:2016-08-23 05:55:03

标签: spring-mvc spring-security

我正在尝试使用GET方法使用Spring安全性进行身份验证,因为以下工作正常,POST方法提供null值。 我用于POST请求。这会导致问题吗?有人可以帮忙解决这个问题吗?

获取方法 

@RequestMapping(value = "/getuser", method = RequestMethod.GET)
@ResponseBody
public String getAuthenticatedUser(){
Authentication user =(Authentication)SecurityContextHolder.getContext()
    .getAuthentication();
String userName = user.getUser().getUsername();
return userName;
 }
}

POST METHOD 

@RequestMapping(value = "/rest/getuser", method = RequestMethod.POST)
@ResponseBody
public String getAuthenticatedUser(){
Authentication user =(Authentication)SecurityContextHolder.getContext()
    .getAuthentication();
String userName = user.getUser().getUsername();
return userName;
 }
}

弹簧security.xml文件 

    <?xml version="1.0" encoding="UTF-8"?>
     <beans:beans xmlns="http://www.springframework.org/schema/security"
     xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security.xsd">
<!--HTTP Interceptors for authentication -->
<http pattern="/templates/**" security="none"></http>
<http pattern="/css/**" security="none"></http>
<http pattern="/js/**" security="none"></http>
<http pattern="/lib/**" security="none"></http>
<http pattern="/lib/css/**" security="none"></http>
<http pattern="/lib/js/**" security="none"></http>
<http pattern="/lib/fonts/**" security="none"></http>
<http pattern="/img/**" security="none"></http>
<http pattern="/rest/**" security="none"></http>
<http pattern="/oAuth" security="none"></http>
<http entry-point-ref="entryPoint"
    auto-config="true" use-expressions="true">
    <anonymous enabled="false"></anonymous>
    <custom-filter ref="oAuthFilter" after="SECURITY_CONTEXT_FILTER"></custom-filter>
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')"></intercept-url>
</http>

<authentication-manager alias="upmAuthenticationManager"></authentication-manager>
<beans:bean id="entryPoint" class="auth.EntryPoint">
    <beans:constructor-arg value="/index.html"></beans:constructor-arg>
</beans:bean>

<beans:bean id="oAuthEnd" name="auth.oAuthEnd"
    class="oAuth.OAuthServlet">
    <beans:property name="oAuthFilter" ref="oAuthFilter"></beans:property>
</beans:bean>
<beans:bean id="oAuthFilter" class="auth.filter">
    <beans:property name="id"
        value=""></beans:property>
    <beans:property name="secret"
        value=""></beans:property>
    <beans:property name="url"
        value=""></beans:property>
</beans:bean>

2 个答案:

答案 0 :(得分:0)

请求方法与它无关。但是这一行:

<intercept-url pattern="/rest/**" access="permitAll"/>

它将禁用该路径的所有安全处理。

也许你打算:

{{1}}

答案 1 :(得分:0)

请在WebSecurityConfigurerAdapter中禁用CSRF。示例:

http.csrf().disable();

或“真实”示例:

@Configuration
@EnableGlobalMethodSecurity(
    securedEnabled = true,
    jsr250Enabled = true,
    prePostEnabled = true
)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {


        http.httpBasic().and().csrf().disable(); // <-- CSRF DISABLED


    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user").password("{noop}password").roles("USER")
                .and()
                .withUser("admin").password("{noop}password").roles("ADMIN");
    }

}
相关问题
最新问题