堆栈内存溢出
  简体   繁体   English

春季安全性:如果用户未通过身份验证,则为http

[英]spring security: http if user not authenticate

 原文  2013-05-27 11:03:01       spring/ security

问题描述

I'm using Spring 3.2 + primefaces 3.5 + hibernate 4.1.9 The security context is: 我正在使用Spring 3.2 + primefaces 3.5 + hibernate 4.1.9安全上下文是: 

 <http auto-config='false' use-expressions="true" > <intercept-url pattern="/**/login" access="permitAll" requires-channel="https"/> <intercept-url pattern="/**/registration" access="permitAll" requires-channel="https" /> <intercept-url pattern="/**/cart" access="permitAll" requires-channel="https" /> <intercept-url pattern="/**/cart/**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" /> <intercept-url pattern="/pages/adm/**" access="hasRole('ADMIN')" requires-channel="https" /> <intercept-url pattern="/*/account**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" /> <intercept-url pattern="/**" requires-channel="any" /> <form-login login-page="/loginRedirect" authentication-failure-handler-ref="pennyUrlAuthenticationFailureHandler" authentication-success-handler-ref="pennyAuthSuccessHandler" default-target-url="/pages/account/orders.xhtml" /> <logout logout-success-url="/" invalidate-session="true"/> </http>

If I go to a page that requires HTTPS, for the rest of session, it will use the HTTPS protocol, even if the user is not authenticated. 如果我转到需要HTTPS的页面,则在会话的其余部分中,即使用户未通过身份验证,它也会使用HTTPS协议。 If I go to https ://mystite/en/cart, HTTPS will be used for all browsing session. 如果我访问https:// mystite / en / cart,HTTPS将用于所有浏览会话。

I do not want to switch HTTPS to HTTP forever, but only if the user is not authenticated. 我不想永远将HTTPS切换为HTTP,仅当用户未通过身份验证时才可以。 Can I force the HTTP for non-authenticated users? 我可以对未经身份验证的用户强制使用HTTP吗?

1 个解决方案

解决方案1
 1  2013-05-27 11:20:14

If I go to a page that requires HTTPS, for the rest of session, it will use the HTTPS protocol, even if the user is not authenticated. 如果我转到需要HTTPS的页面,则在会话的其余部分中,即使用户未通过身份验证,它也会使用HTTPS协议。

That's correct because of 这是正确的,因为 

<intercept-url pattern="/**/cart/**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" />

Also, because of 另外,由于 

<intercept-url pattern="/**" requires-channel="any" />

it will stick with HTTPS once the user requested a resource that requires HTTPS. 一旦用户请求了需要HTTPS的资源,它将坚持使用HTTPS。 Why would it have to switch back if you say any (HTTPS is as good as any)? 如果您说了any (HTTPS和其他一样好),为什么还要切换回去?

Can I force the HTTP for non-authenticated users? 我可以对未经身份验证的用户强制使用HTTP吗?

No, not that I know of. 不,不是我所知道的。 Personally, I don't think this would make much sense either. 就个人而言,我也不认为这很有道理。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 Spring Security 对用户进行身份验证 - Authenticate user with Spring Security 具有XML配置的Spring Security无法验证用户 - Spring Security with XML configuration does not authenticate user Spring安全性配置来认证ldap用户 - Spring security configuration to authenticate ldap user Spring Security对用户进行身份验证以输入管理员 - Spring security authenticate user to enter admin 如何使用Spring Security验证用户身份? - how to authenticate user using spring security? Spring Security 通过 post 对用户进行身份验证 - Spring Security authenticate user via post Spring 尽管用户存在于数据库中,但安全性无法验证用户 - Spring Security cannot authenticate user although the user is exist in database 春季安全性不进行身份验证 - spring security does not authenticate 通过Spring SAML安全性进行身份验证 - authenticate with Spring saml security Spring 安全认证逻辑 - Spring Security authenticate logic
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM