[英]spring security: http if user not authenticate
I'm using Spring 3.2 + primefaces 3.5 + hibernate 4.1.9 The security context is: 我正在使用Spring 3.2 + primefaces 3.5 + hibernate 4.1.9安全上下文是:
<http auto-config='false' use-expressions="true" > <intercept-url pattern="/**/login" access="permitAll" requires-channel="https"/> <intercept-url pattern="/**/registration" access="permitAll" requires-channel="https" /> <intercept-url pattern="/**/cart" access="permitAll" requires-channel="https" /> <intercept-url pattern="/**/cart/**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" /> <intercept-url pattern="/pages/adm/**" access="hasRole('ADMIN')" requires-channel="https" /> <intercept-url pattern="/*/account**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" /> <intercept-url pattern="/**" requires-channel="any" /> <form-login login-page="/loginRedirect" authentication-failure-handler-ref="pennyUrlAuthenticationFailureHandler" authentication-success-handler-ref="pennyAuthSuccessHandler" default-target-url="/pages/account/orders.xhtml" /> <logout logout-success-url="/" invalidate-session="true"/> </http>
If I go to a page that requires HTTPS, for the rest of session, it will use the HTTPS protocol, even if the user is not authenticated. 如果我转到需要HTTPS的页面,则在会话的其余部分中,即使用户未通过身份验证,它也会使用HTTPS协议。 If I go to https ://mystite/en/cart, HTTPS will be used for all browsing session. 如果我访问https:// mystite / en / cart,HTTPS将用于所有浏览会话。
I do not want to switch HTTPS to HTTP forever, but only if the user is not authenticated. 我不想永远将HTTPS切换为HTTP,仅当用户未通过身份验证时才可以。 Can I force the HTTP for non-authenticated users? 我可以对未经身份验证的用户强制使用HTTP吗?
If I go to a page that requires HTTPS, for the rest of session, it will use the HTTPS protocol, even if the user is not authenticated. 如果我转到需要HTTPS的页面,则在会话的其余部分中,即使用户未通过身份验证,它也会使用HTTPS协议。
That's correct because of 这是正确的,因为
<intercept-url pattern="/**/cart/**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" />
Also, because of 另外,由于
<intercept-url pattern="/**" requires-channel="any" />
it will stick with HTTPS once the user requested a resource that requires HTTPS. 一旦用户请求了需要HTTPS的资源,它将坚持使用HTTPS。 Why would it have to switch back if you say any
(HTTPS is as good as any)? 如果您说了any
(HTTPS和其他一样好),为什么还要切换回去?
Can I force the HTTP for non-authenticated users? 我可以对未经身份验证的用户强制使用HTTP吗?
No, not that I know of. 不,不是我所知道的。 Personally, I don't think this would make much sense either. 就个人而言,我也不认为这很有道理。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.