1. 首页
  2. 问答
  3. 春季安全:<secutiry =“无”>路径不可用

春季安全:<secutiry =“无”>路径不可用

2014-10-06 42 views
0

我尽量不再固定用它创建单独的某条路径:春季安全:<secutiry =“无”>路径不可用

<security:http pattern="/rest/**" security="none" />

但是当我尝试访问URL匹配该模式,例如

my-host:8080/my-context-root/rest/users

我收到异常反应500:

HTTP状态500 - 请求PROC失败;嵌套的例外是 org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: 的认证对象未在SecurityContext中

发现所以这就是问题所在。为什么我收到这个?为什么不安全的模式(所有过滤器和安全功能都应该完全禁用)等待一些证书?

我不确定我是否应该提供完整的.xml conf文件集,但如果它很重要,我可以。

UPDATE我的配置

过滤器和servlet映射:

<filter> 
    <filter-name>encoding-filter</filter-name> 
    <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> 
    <init-param> 
     <param-name>encoding</param-name> 
     <param-value>UTF-8</param-value> 
    </init-param> 
</filter> 
<filter-mapping> 
    <filter-name>encoding-filter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter> 
<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

<servlet> 
    <servlet-name>dispatcher</servlet-name> 
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
    <init-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value> 
      classpath:spring-db.xml 
      classpath:spring-service.xml 
      classpath:spring-service-security.xml 
      classpath:spring-web-security.xml 
      classpath:spring-web-dispatcher.xml 
     </param-value> 
    </init-param> 
    <load-on-startup>1</load-on-startup> 
</servlet> 

<servlet-mapping> 
    <servlet-name>dispatcher</servlet-name> 
    <url-pattern>*.html</url-pattern> 
</servlet-mapping> 

<servlet-mapping> 
    <servlet-name>dispatcher</servlet-name> 
    <url-pattern>/rest/*</url-pattern> 
</servlet-mapping> 


<!-- welcome file --> 
<welcome-file-list> 
    <welcome-file>redirect.jsp</welcome-file> 
</welcome-file-list> 

<!-- session config --> 
<session-config> 
    <session-timeout>15</session-timeout> 
</session-config>

和安全

spring-service-security.xml 
    <security:global-method-security 
     secured-annotations="enabled" /> 

    <bean id="authenticationFilter" 
     class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" 
     p:authenticationManager-ref="customAuthenticationManager" /> 

    <bean id="customAuthenticationManager" class="org.unidevteam.userstory.service.impl.AuthServiceImpl" /> 

    <bean id="passwordEncoder" 
     class="org.springframework.security.crypto.password.StandardPasswordEncoder" /> 

    <security:authentication-manager />

和弹簧网络的security.xml

<security:http pattern="/rest/**" security="none" /> 

    <bean id="authenticationEntryPoint" 
     class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" 
     p:loginFormUrl="/login.html" /> 

    <security:http auto-config="true" use-expressions="true" 
     entry-point-ref="authenticationEntryPoint" access-denied-page="/login.html" 
     authentication-manager-ref="customAuthenticationManager"> 
     <security:intercept-url pattern="/login.html" 
      access="permitAll" /> 
     <security:intercept-url pattern="/home.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:intercept-url pattern="/users.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:intercept-url pattern="/rmuser.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:intercept-url pattern="/user.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:intercept-url pattern="/notifications.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:intercept-url pattern="/locations.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:intercept-url pattern="/rmlocation.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:intercept-url pattern="/location.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:intercept-url pattern="/events.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:logout invalidate-session="true" 
      logout-success-url="/logout.html" /> 
    </security:http> 

    <bean id="authenticationFilter" 
     class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" 
     p:authenticationManager-ref="customAuthenticationManager" />

澄清,我正在做什么... 有一个第三方旧的mvc应用程序代码,现在我需要为其实现其他api。所以我决定它将在/ rest/path下可用。我打算稍后添加一些特殊的安全性(可能是基于令牌的身份验证)以供休息,但最初我决定完全不安全该路径以用于调试和测试目的。

来源

2014-10-06 Doob

+0

是的,请发布您的xml配置文件。可能是一些路径模式覆盖了这一个。 – freakman 2014-10-06 11:49:44

+0

你可以发布你的''和''吗? – 2014-10-06 11:49:55

+0

你可以发布你所有的spring-security.xml文件吗? – Pracede 2014-10-06 11:55:53

回答

0

我从来没有把安全相关的配置放在servletdispatcher应用程序容器中。 Spring安全性基于过滤器,过滤器在Servlet上下文级别声明,就像根应用程序上下文一样。

因此,我建议您将所有spring安全配置放入根应用程序上下文中 - 就像参考手册中给出的所有示例一样。根应用程序上下文通常通过以下方式由Spring ContextLoaderListener加载:

<context-param> 
<param-name>contextConfigLocation</param-name> 
<param-value>/WEB-INF/daoContext.xml /WEB-INF/applicationContext.xml</param-value> 
</context-param> 

<listener> 
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
</listener>

来源

2014-10-06 15:13:36

+0

谢谢,这是很好的建议!我刚刚从调度程序相关的上下文参数部分删除了与安全相关的东西,并且路径/ rest/*变得不安全。无论如何,我仍然不完全了解到底发生了什么,因为在此之前我已经注释了标记。对不起我的英语不好。 – Doob 2014-10-06 21:03:18

相关问题

 相关问题