Spring 无法使用access=";";
我正在使用Spring4和Hibernate5 下面是我的spring安全性的xml配置 我有一句话:Spring 无法使用access=";";,spring,rest,spring-security,Spring,Rest,Spring Security,我正在使用Spring4和Hibernate5 下面是我的spring安全性的xml配置 我有一句话: <intercept-url pattern="/android/download" access="permitAll" /> 我的配置文件有问题吗?我不希望设置为security=“none”,因为我希望它通过SpringSecurity 这可能是在CustomAuthenticationFilter类中进行身份验证的顺序吗 spring安全性的XML文件:
<intercept-url pattern="/android/download" access="permitAll" />
我的配置文件有问题吗?我不希望设置为security=“none”
,因为我希望它通过SpringSecurity
这可能是在CustomAuthenticationFilter类中进行身份验证的顺序吗
spring安全性的XML文件:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd">
<sec:http auto-config="false" create-session="stateless" entry-point-ref="customEntryPoint" use-expressions="true">
<intercept-url pattern="/admin/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
<intercept-url pattern="/agent/**" access="isFullyAuthenticated()" />
<intercept-url pattern="/analysis/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('IC') or hasRole('OPS')" />
<intercept-url pattern="/android/download" access="permitAll" />
<intercept-url pattern="/android/**" access="hasRole('ADMIN') or hasRole('SNF_AGENT')" />
<intercept-url pattern="/audit/**" access="hasRole('ADMIN')" />
<intercept-url pattern="/auth/logout" access="isFullyAuthenticated()" />
<intercept-url pattern="/external/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('SV_IC') or hasRole('IC') " />
<intercept-url pattern="/index.xhtml" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
<intercept-url pattern="/misc/**" access="isFullyAuthenticated()" />
<intercept-url pattern="/mission/missions/search" access="isFullyAuthenticated()" />
<intercept-url pattern="/mission/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('SV_IC')" />
<intercept-url pattern="/report/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
<intercept-url pattern="/request/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('IC') or hasRole('OPS')" />
<intercept-url pattern="/target/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('IC')" />
<intercept-url pattern="/trawling/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
<intercept-url pattern="/**" access="denyAll" />
<sec:custom-filter ref="customAuthenticationFilter"
before="PRE_AUTH_FILTER" />
<sec:csrf disabled="true" />
</sec:http>
<sec:authentication-manager alias="authenticationManager">
<authentication-provider ref="customAuthenticationProvider" />
</sec:authentication-manager>
<beans:bean id="customAuthenticationFilter"
class="com.test.common.CustomAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationSuccessHandler"
ref="customSuccessHandler" />
</beans:bean>
<beans:bean id="customSuccessHandler" class="com.test.common.CustomSuccessHandler" />
</beans:beans>
permitAll意味着允许进行任何身份验证,即使是
匿名身份验证令牌
,但您的请求从未达到如此程度。您有一个自定义筛选器,我假定它是从AbstractAuthenticationProcessingFilter
派生而来的,并且由于缺少标头时筛选器会引发异常,因此您的请求从未发送到AuthenticationManager
有几种方法可以解决这个问题,这里有两种
,并为此筛选器链使用匿名AuthenticationFilter
AnonymousAuthenticationToken
希望这有帮助。异常显示com.test.common.JwtTokenMissingException:在请求头中找不到令牌。。此异常是从您的attemptAuthentication方法中引发的。看起来您必须在身份验证头中传递JWT令牌。JWT令牌是由身份验证服务器创建的。@KlausGroenbaek是的,我知道。我所要求的是,在调用attemptAuthentication()时,我是否可以允许permitAll通过,或者在使用permitAll时,我是否可以控制验证顺序?
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd">
<sec:http auto-config="false" create-session="stateless" entry-point-ref="customEntryPoint" use-expressions="true">
<intercept-url pattern="/admin/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
<intercept-url pattern="/agent/**" access="isFullyAuthenticated()" />
<intercept-url pattern="/analysis/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('IC') or hasRole('OPS')" />
<intercept-url pattern="/android/download" access="permitAll" />
<intercept-url pattern="/android/**" access="hasRole('ADMIN') or hasRole('SNF_AGENT')" />
<intercept-url pattern="/audit/**" access="hasRole('ADMIN')" />
<intercept-url pattern="/auth/logout" access="isFullyAuthenticated()" />
<intercept-url pattern="/external/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('SV_IC') or hasRole('IC') " />
<intercept-url pattern="/index.xhtml" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
<intercept-url pattern="/misc/**" access="isFullyAuthenticated()" />
<intercept-url pattern="/mission/missions/search" access="isFullyAuthenticated()" />
<intercept-url pattern="/mission/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('SV_IC')" />
<intercept-url pattern="/report/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
<intercept-url pattern="/request/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('IC') or hasRole('OPS')" />
<intercept-url pattern="/target/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR') or hasRole('IC')" />
<intercept-url pattern="/trawling/**" access="hasRole('ADMIN') or hasRole('MANAGER') or hasRole('SUPERVISOR')" />
<intercept-url pattern="/**" access="denyAll" />
<sec:custom-filter ref="customAuthenticationFilter"
before="PRE_AUTH_FILTER" />
<sec:csrf disabled="true" />
</sec:http>
<sec:authentication-manager alias="authenticationManager">
<authentication-provider ref="customAuthenticationProvider" />
</sec:authentication-manager>
<beans:bean id="customAuthenticationFilter"
class="com.test.common.CustomAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="authenticationSuccessHandler"
ref="customSuccessHandler" />
</beans:bean>
<beans:bean id="customSuccessHandler" class="com.test.common.CustomSuccessHandler" />
</beans:beans>
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
{
String header = request.getHeader(this.tokenHeader);
if (request.getServletPath().contains(".xhtml"))
{
header = (String) request.getSession().getAttribute("token");
}
if (header == null || !header.startsWith(PropertiesUtil.TOKEN_HEADER))
{
throw new JwtTokenMissingException(msgProperty.getProperty(MessageUtil.ERR_AUTH_NO_TOKEN));
}
String authToken = header.substring(PropertiesUtil.TOKEN_HEADER.length());
JwtAuthenticationToken authRequest = new JwtAuthenticationToken(authToken);
return getAuthenticationManager().authenticate(authRequest);
}