Java 无法从Spring安全保护中排除某些URL

我们有以下spring安全配置：

<bean id="authenticationSuccessHandler" class="***.JsonAuthenticationSuccessHandler"/>

    <bean id="logoutSuccessHandler" class="***.web.security.***UrlLogoutSuccessHandler">
        <property name="redirectStrategy" ref="noRedirectStrategy"/>
    </bean>

    <bean id="authenticationFailureHandler"
          class="***.web.security.***UrlAuthenticationFailureHandler"/>

    <bean id="httpStatusEntryPoint" class="org.springframework.security.web.authentication.HttpStatusEntryPoint">
        <constructor-arg value="UNAUTHORIZED"/>
    </bean>

    <security:http auto-config="true" use-expressions="false" entry-point-ref="httpStatusEntryPoint">
        <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrentSessionFilter"/>

        <security:form-login
                authentication-success-handler-ref="authenticationSuccessHandler"
                authentication-failure-handler-ref="authenticationFailureHandler"
                />

        <security:intercept-url pattern="/api/**"/>
        <security:anonymous enabled="false"/>
        <security:logout logout-url="/logout" delete-cookies="JSESSIONID,sessionId"
                         success-handler-ref="logoutSuccessHandler"
                />
        <security:csrf disabled="true"/>

        <security:session-management session-authentication-strategy-ref="sessionAuthenticationStrategy"/>
    </security:http>

    <bean id="concurrentSessionFilter" class="***.***ConcurrentSessionFilter">
        <constructor-arg ref="***SessionRegistry"/>
        <constructor-arg ref="errorController"/>
    </bean>

    <bean id="sessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
        <constructor-arg>
            <list>
                <ref bean="registerSessionAuthenticationStrategy"/>
                <ref bean="concurrentSessionControlAuthenticationStrategy"/>
            </list>
        </constructor-arg>
    </bean>

    <bean id="registerSessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
        <constructor-arg name="sessionRegistry" ref="***SessionRegistry" />
    </bean>

    <bean id="concurrentSessionControlAuthenticationStrategy" class="***.web.security.***ConcurrentSessionControlAuthenticationStrategy">
        <constructor-arg name="sessionRegistry" ref="***SessionRegistry" />
        <constructor-arg name="logoutService" ref="logoutService"/>
        <property name="maximumSessions" value="1" />
    </bean>

    <!-- enable spring security annotation processing -->
    <security:global-method-security secured-annotations="enabled"/>

    <bean id="***LdapAuthenticationProvider" class="***.web.***LdapAuthProvider">
        <property name="url" value="${ldap.url}"/>
        <property name="filter" value="${ldap.filter}"/>
        <property name="domain" value="${ldap.domain}"/>
        <property name="dn" value="${ldap.dn}"/>
        <property name="ldapEnabled" value="${ldap.enable}"/>
    </bean>

    <security:authentication-manager>
        <security:authentication-provider ref="***LdapAuthenticationProvider"/>
        <security:authentication-provider user-service-ref="***UserDetailsService"/>
    </security:authentication-manager>

    <bean id="usersResource" class="org.springframework.core.io.ClassPathResource">
        <constructor-arg value="/users.properties" />
    </bean>

    <util:property-path id="usersResourceFile" path="usersResource.file" />

    <bean id="***UserDetailsService" class="***.web.security.***InMemoryUserDetailsManager">
        <constructor-arg index="0" ref="usersResourceFile"/>
    </bean>

即使用户未登录，也应可用

附笔。 我曾尝试应用这个答案，但对我无效：

UPD 我累了

    ....
    <bean id="httpStatusEntryPoint" class="org.springframework.security.web.authentication.HttpStatusEntryPoint">
        <constructor-arg value="UNAUTHORIZED"/>
    </bean>
    <security:http pattern="/api/url/available/without/login" security="none"/>
    <security:http auto-config="true" use-expressions="false" entry-point-ref="httpStatusEntryPoint">
    ....

抛出异常

您只需添加一个“默认”http侦听器：

<security:http xmlns="http://www.springframework.org/schema/security">
  <intercept-url pattern="/" access="permitAll()"/>
  <anonymous/>
  <csrf disabled="true"/>
</security:http>

---

在当前安全性之后：http标记。它将处理第一个http构造未处理的所有请求。

链接的答案应该可以工作，您是否将

放在

安全性上面：http auto config=“true”

？@RC我已升级主题您可以发布stacktrace吗？@RC。堆栈跟踪是什么意思？我不明白exception@RC. org.springframework.security.authentication.BadCredentialsException org.springframework.beans.factory.parsingException:配置问题：无法建立AuthenticationEntryPoint。请确保您通过名称空间配置了登录机制（例如表单登录），或使用“入口点引用”属性指定自定义AuthenticationEntryPoint |违规资源：类路径资源[context security.xml]好的，尝试添加到

安全性

标记中，但如果我想排除5个URL，该怎么办。我应该添加5个新的security:http标记吗？不，第一个security:http标记只处理对

/api/**

的请求。第二个“默认”http标记处理所有其他请求。如果您想保护一些新的url（然后您需要将这些新的https标记放在“默认”之前），您需要添加新的http标记。如果在security:httptag和/api之前添加security:http标记和特定url，则实际上可以工作/**

 SecurityContext securityContext = SecurityContextHolder.getContext();
 Authentication authentication = securityContext.getAuthentication();
 if (authentication == null || !authentication.isAuthenticated()) {
       String name = authentication != null ? authentication.getName() : "";
       throw new BadCredentialsException("Could not find user " + name);
  }

<security:http xmlns="http://www.springframework.org/schema/security">
  <intercept-url pattern="/" access="permitAll()"/>
  <anonymous/>
  <csrf disabled="true"/>
</security:http>