尝试使用XML配置关闭一个URL的安全性

时间:2018-01-15 15:07:50

标签: spring-boot spring-security

我检查了几个博客/ doc / stackoverflow论坛条目,但我仍然不知道我做错了什么 我想授予任何人访问URL的权限。 webpack.admin.config.js 不起作用,因为我有自定义过滤器。所以我想创建一个单独的 permitAll 元素并使用 http 设置但到目前为止没有成功。

security="none"

控制器:

<security:http pattern="/status" security="none"/>

<!-- ******************** rules with encryption and HMAC authentication ******************** -->
<security:http create-session="stateless" use-expressions="true" authentication-manager-ref="authenticationManager" auto-config="true" entry-point-ref="http403EntryPoint" pattern="/**">
    <!-- HMAC only -->
    <security:intercept-url pattern="/utils/logheaderpattern/check" access="authenticated" />
    <security:intercept-url pattern="/executionflow/approve" access="authenticated" />
    <security:intercept-url pattern="/executionflow/approve_and_forced_start" access="authenticated" />
    <security:intercept-url pattern="/utils/maintenancewindow/next/**" access="authenticated" />
    <security:intercept-url pattern="/executionflow/start/manual" access="authenticated" />
    <security:intercept-url pattern="/executionflow/start/eventlife" access="authenticated" />
    <security:intercept-url pattern="/executionflow/skip/eventlife" access="authenticated" />
    <security:intercept-url pattern="/executionflow/start/scheduled" access="authenticated" />
    <security:intercept-url pattern="/utils/cron/nextrun" access="authenticated" />
    <!-- HMAC and encryption (set in encryptionFilter) -->
    <security:intercept-url pattern="/worker/command/**" access="authenticated" />
    <security:intercept-url pattern="/worker/event" access="authenticated" />
    <security:intercept-url pattern="/worker/system/**" access="authenticated" />
    <!-- deny all others -->
    <security:intercept-url pattern="/**" access="denyAll" />

    <security:csrf disabled="true" />
    <security:custom-filter ref="encryptionFilter" before="FORM_LOGIN_FILTER"/>
    <security:custom-filter ref="hmacAuthenticationFilter" after="FORM_LOGIN_FILTER"/>
</security:http>


<!-- ******************** Defining the authentication manager ******************** -->
<security:authentication-manager erase-credentials="false" id="authenticationManager">
    <security:authentication-provider user-service-ref="fileBasedUserDetailsService">
    </security:authentication-provider>
</security:authentication-manager>

Spring Boot初始化程序

@Controller
public class WebController {
  @RequestMapping(value = "/status", method = RequestMethod.GET)
  public String redirect() {
     return "redirect:/pages/status.html";
  }
}

我一直得到

@Configuration
@ImportResource({"classpath:applicationContext.xml", "classpath:securityContext.xml"})
@ComponentScan(basePackages = {"org.reaction.engine.controller", 
                            "org.reaction.engine.persistence.service",
                            "org.reaction.engine.persistence.converter",
                            "org.reaction.engine.service",
                            "org.reaction.engine.scheduling.utils"})
@EnableAutoConfiguration
public class WebInitializer extends SpringBootServletInitializer implements WebApplicationInitializer {

  @Override
  protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
     return application.sources(WebInitializer.class);
  }


  public static void main(String[] args) throws Exception {
     SpringApplication.run(WebInitializer.class, args);
  }

}

异常。有什么想法吗?

2 个答案:

答案 0 :(得分:0)

<security:intercept-url pattern="/**" access="denyAll" /> 
无论您为其他资源定义了什么子模式,

都不允许访问任何资源。

将您的模式更改为

之类的内容
<security:intercept-url pattern="/secure/**" access="denyAll" /> /*add an extra folder and shift the resources there */ 

<security:intercept-url pattern="/**" access="permitAll()" />

答案 1 :(得分:0)

这是Spring Boot / Spring Security中的错误/缺失功能,请参阅

可能有一些解决方法,一种是使用Java配置而不是XML配置。