我尽量不再固定用它创建单独的某条路径:春季安全:<secutiry =“无”>路径不可用
<security:http pattern="/rest/**" security="none" />
但是当我尝试访问URL匹配该模式,例如
my-host:8080/my-context-root/rest/users
我收到异常反应500:
HTTP状态500 - 请求PROC失败;嵌套的例外是 org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: 的认证对象未在SecurityContext中
发现所以这就是问题所在。为什么我收到这个?为什么不安全的模式(所有过滤器和安全功能都应该完全禁用)等待一些证书?
我不确定我是否应该提供完整的.xml conf文件集,但如果它很重要,我可以。
UPDATE我的配置
过滤器和servlet映射:
<filter>
<filter-name>encoding-filter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encoding-filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:spring-db.xml
classpath:spring-service.xml
classpath:spring-service-security.xml
classpath:spring-web-security.xml
classpath:spring-web-dispatcher.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<!-- welcome file -->
<welcome-file-list>
<welcome-file>redirect.jsp</welcome-file>
</welcome-file-list>
<!-- session config -->
<session-config>
<session-timeout>15</session-timeout>
</session-config>
和安全
spring-service-security.xml
<security:global-method-security
secured-annotations="enabled" />
<bean id="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:authenticationManager-ref="customAuthenticationManager" />
<bean id="customAuthenticationManager" class="org.unidevteam.userstory.service.impl.AuthServiceImpl" />
<bean id="passwordEncoder"
class="org.springframework.security.crypto.password.StandardPasswordEncoder" />
<security:authentication-manager />
和弹簧网络的security.xml
<security:http pattern="/rest/**" security="none" />
<bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/login.html" />
<security:http auto-config="true" use-expressions="true"
entry-point-ref="authenticationEntryPoint" access-denied-page="/login.html"
authentication-manager-ref="customAuthenticationManager">
<security:intercept-url pattern="/login.html"
access="permitAll" />
<security:intercept-url pattern="/home.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:intercept-url pattern="/users.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:intercept-url pattern="/rmuser.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:intercept-url pattern="/user.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:intercept-url pattern="/notifications.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:intercept-url pattern="/locations.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:intercept-url pattern="/rmlocation.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:intercept-url pattern="/location.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:intercept-url pattern="/events.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:logout invalidate-session="true"
logout-success-url="/logout.html" />
</security:http>
<bean id="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:authenticationManager-ref="customAuthenticationManager" />
澄清,我正在做什么... 有一个第三方旧的mvc应用程序代码,现在我需要为其实现其他api。所以我决定它将在/ rest/path下可用。我打算稍后添加一些特殊的安全性(可能是基于令牌的身份验证)以供休息,但最初我决定完全不安全该路径以用于调试和测试目的。
是的,请发布您的xml配置文件。可能是一些路径模式覆盖了这一个。 – freakman 2014-10-06 11:49:44
你可以发布你的' '和' '吗? –
2014-10-06 11:49:55
你可以发布你所有的spring-security.xml文件吗? – Pracede 2014-10-06 11:55:53