我启用了默认的deny-by-default功能。有了这个我想在一些控制器上提供匿名访问。为此,我启用了匿名身份验证。
如果我使用antmacher.permitAll()工作正常。
但如果我使用@PreAuthorize(value="hasRole('ROLE_ANONYMOUS')")控制器对我不起作用。
{
"timeStamp": 1488692168652,
"success": false,
"message": "Full authentication is required to access this resource",
"class": "org.springframework.security.authentication.InsufficientAuthenticationException"
}
Spring安全配置:
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.csrf().disable();
httpSecurity.httpBasic().disable();
// enable anonymous access
httpSecurity.anonymous();
httpSecurity.authorizeRequests()
//.antMatchers("/").permitAll()
.anyRequest().authenticated();
httpSecurity.addFilterAt(jsonAuthenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
// Call our errorHandler if authentication/authorization fails
httpSecurity.exceptionHandling().authenticationEntryPoint(new JwtAuthenticationEntryPoint());
httpSecurity.exceptionHandling().accessDeniedHandler(new JwtAccessDeniedHandler());
// don't create session
httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// Custom JWT based security filter
httpSecurity.addFilterAfter(jwtAuthenticationTokenFilterBean(), RememberMeAuthenticationFilter.class);
// disable page caching
httpSecurity.headers().cacheControl().disable();
}
控制器:
@RestController
@PreAuthorize(value="hasRole('ROLE_ANONYMOUS')")
public class HomeController {
@RequestMapping("/")
String execute() {
return "hello";
}
}
答案 0 :(得分:2)
使用@PreAuthorize(value="hasRole('ROLE_ANONYMOUS')")和anyRequest().authenticated()时,
您已配置安全链以验证所有请求,这会捕获匿名请求并在它到达控制器之前拒绝它。
您可以使用antMatchers("/").permitAll()或antMatchers("/").anonymous()进行配置以通过安全过滤器链。