1. 首頁
  2. 問答
  3. 春季安全:<secutiry =「無」>路徑不可用

春季安全:<secutiry =「無」>路徑不可用

2014-10-06 45 views
0

我儘量不再固定用它創建單獨的某條路徑:春季安全:<secutiry =「無」>路徑不可用

<security:http pattern="/rest/**" security="none" />

但是當我嘗試訪問URL匹配該模式,例如

my-host:8080/my-context-root/rest/users

我收到異常反應500:

HTTP狀態500 - 請求PROC失敗;嵌套的例外是 org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: 的認證對象未在SecurityContext中

發現所以這就是問題所在。爲什麼我收到這個?爲什麼不安全的模式(所有過濾器和安全功能都應該完全禁用)等待一些證書?

我不確定我是否應該提供完整的.xml conf文件集,但如果它很重要,我可以。

UPDATE我的配置

過濾器和servlet映射:

<filter> 
    <filter-name>encoding-filter</filter-name> 
    <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> 
    <init-param> 
     <param-name>encoding</param-name> 
     <param-value>UTF-8</param-value> 
    </init-param> 
</filter> 
<filter-mapping> 
    <filter-name>encoding-filter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter> 
<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

<servlet> 
    <servlet-name>dispatcher</servlet-name> 
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
    <init-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value> 
      classpath:spring-db.xml 
      classpath:spring-service.xml 
      classpath:spring-service-security.xml 
      classpath:spring-web-security.xml 
      classpath:spring-web-dispatcher.xml 
     </param-value> 
    </init-param> 
    <load-on-startup>1</load-on-startup> 
</servlet> 

<servlet-mapping> 
    <servlet-name>dispatcher</servlet-name> 
    <url-pattern>*.html</url-pattern> 
</servlet-mapping> 

<servlet-mapping> 
    <servlet-name>dispatcher</servlet-name> 
    <url-pattern>/rest/*</url-pattern> 
</servlet-mapping> 


<!-- welcome file --> 
<welcome-file-list> 
    <welcome-file>redirect.jsp</welcome-file> 
</welcome-file-list> 

<!-- session config --> 
<session-config> 
    <session-timeout>15</session-timeout> 
</session-config>

和安全

spring-service-security.xml 
    <security:global-method-security 
     secured-annotations="enabled" /> 

    <bean id="authenticationFilter" 
     class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" 
     p:authenticationManager-ref="customAuthenticationManager" /> 

    <bean id="customAuthenticationManager" class="org.unidevteam.userstory.service.impl.AuthServiceImpl" /> 

    <bean id="passwordEncoder" 
     class="org.springframework.security.crypto.password.StandardPasswordEncoder" /> 

    <security:authentication-manager />

和彈簧網絡的security.xml

<security:http pattern="/rest/**" security="none" /> 

    <bean id="authenticationEntryPoint" 
     class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" 
     p:loginFormUrl="/login.html" /> 

    <security:http auto-config="true" use-expressions="true" 
     entry-point-ref="authenticationEntryPoint" access-denied-page="/login.html" 
     authentication-manager-ref="customAuthenticationManager"> 
     <security:intercept-url pattern="/login.html" 
      access="permitAll" /> 
     <security:intercept-url pattern="/home.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:intercept-url pattern="/users.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:intercept-url pattern="/rmuser.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:intercept-url pattern="/user.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:intercept-url pattern="/notifications.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:intercept-url pattern="/locations.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:intercept-url pattern="/rmlocation.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:intercept-url pattern="/location.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:intercept-url pattern="/events.html" 
      access="hasAnyRole('ROLE_ADMIN','ROLE_ORGANIZER')" /> 
     <security:logout invalidate-session="true" 
      logout-success-url="/logout.html" /> 
    </security:http> 

    <bean id="authenticationFilter" 
     class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" 
     p:authenticationManager-ref="customAuthenticationManager" />

澄清,我正在做什麼... 有一個第三方舊的mvc應用程序代碼,現在我需要爲其實現其他api。所以我決定它將在/ rest/path下可用。我打算稍後添加一些特殊的安全性(可能是基於令牌的身份驗證)以供休息,但最初我決定完全不安全該路徑以用於調試和測試目的。

來源

2014-10-06 Doob

+0

是的,請發佈您的xml配置文件。可能是一些路徑模式覆蓋了這一個。 – freakman 2014-10-06 11:49:44

+0

你可以發佈你的''和''嗎? – 2014-10-06 11:49:55

+0

你可以發佈你所有的spring-security.xml文件嗎? – Pracede 2014-10-06 11:55:53

回答

0

我從來沒有把安全相關的配置放在servletdispatcher應用程序容器中。 Spring安全性基於過濾器,過濾器在Servlet上下文級別聲明,就像根應用程序上下文一樣。

因此,我建議您將所有spring安全配置放入根應用程序上下文中 - 就像參考手冊中給出的所有示例一樣。根應用程序上下文通常通過以下方式由Spring ContextLoaderListener加載:

<context-param> 
<param-name>contextConfigLocation</param-name> 
<param-value>/WEB-INF/daoContext.xml /WEB-INF/applicationContext.xml</param-value> 
</context-param> 

<listener> 
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
</listener>

來源

2014-10-06 15:13:36

+0

謝謝,這是很好的建議!我剛剛從調度程序相關的上下文參數部分刪除了與安全相關的東西,並且路徑/ rest/*變得不安全。無論如何,我仍然不完全瞭解到底發生了什麼,因爲在此之前我已經註釋了標記。對不起我的英語不好。 – Doob 2014-10-06 21:03:18

相關問題

 相關問題