我儘量不再固定用它創建單獨的某條路徑:春季安全:<secutiry =「無」>路徑不可用
<security:http pattern="/rest/**" security="none" />
但是當我嘗試訪問URL匹配該模式,例如
my-host:8080/my-context-root/rest/users
我收到異常反應500:
HTTP狀態500 - 請求PROC失敗;嵌套的例外是 org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: 的認證對象未在SecurityContext中
發現所以這就是問題所在。爲什麼我收到這個?爲什麼不安全的模式(所有過濾器和安全功能都應該完全禁用)等待一些證書?
我不確定我是否應該提供完整的.xml conf文件集,但如果它很重要,我可以。
UPDATE我的配置
過濾器和servlet映射:
<filter>
<filter-name>encoding-filter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encoding-filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:spring-db.xml
classpath:spring-service.xml
classpath:spring-service-security.xml
classpath:spring-web-security.xml
classpath:spring-web-dispatcher.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<!-- welcome file -->
<welcome-file-list>
<welcome-file>redirect.jsp</welcome-file>
</welcome-file-list>
<!-- session config -->
<session-config>
<session-timeout>15</session-timeout>
</session-config>
和安全
spring-service-security.xml
<security:global-method-security
secured-annotations="enabled" />
<bean id="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:authenticationManager-ref="customAuthenticationManager" />
<bean id="customAuthenticationManager" class="org.unidevteam.userstory.service.impl.AuthServiceImpl" />
<bean id="passwordEncoder"
class="org.springframework.security.crypto.password.StandardPasswordEncoder" />
<security:authentication-manager />
和彈簧網絡的security.xml
<security:http pattern="/rest/**" security="none" />
<bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/login.html" />
<security:http auto-config="true" use-expressions="true"
entry-point-ref="authenticationEntryPoint" access-denied-page="/login.html"
authentication-manager-ref="customAuthenticationManager">
<security:intercept-url pattern="/login.html"
access="permitAll" />
<security:intercept-url pattern="/home.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:intercept-url pattern="/users.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:intercept-url pattern="/rmuser.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:intercept-url pattern="/user.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:intercept-url pattern="/notifications.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:intercept-url pattern="/locations.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:intercept-url pattern="/rmlocation.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:intercept-url pattern="/location.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:intercept-url pattern="/events.html"
access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" />
<security:logout invalidate-session="true"
logout-success-url="/logout.html" />
</security:http>
<bean id="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:authenticationManager-ref="customAuthenticationManager" />
澄清,我正在做什麼... 有一個第三方舊的mvc應用程序代碼,現在我需要爲其實現其他api。所以我決定它將在/ rest/path下可用。我打算稍後添加一些特殊的安全性(可能是基於令牌的身份驗證)以供休息,但最初我決定完全不安全該路徑以用於調試和測試目的。
是的,請發佈您的xml配置文件。可能是一些路徑模式覆蓋了這一個。 – freakman 2014-10-06 11:49:44
你可以發佈你的' '和' '嗎? –
2014-10-06 11:49:55
你可以發佈你所有的spring-security.xml文件嗎? – Pracede 2014-10-06 11:55:53