春季安全| 授予匿名用户访问权限的问题

Question

I'm trying to grant access privileges to a certain REST method implemented according to Spring. 我正在尝试授予对某些根据Spring实现的REST方法的访问权限。 [Bare in mind this is an existing application with existing Spring configurations] [请记住，这是具有现有Spring配置的现有应用程序]

My problem here is that I cannot access this method if I'm not authenticated. 我的问题是，如果未通过身份验证，则无法访问此方法。 Here are my configurations 这是我的配置

web.xml web.xml中

<servlet>
    <servlet-name>appServlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/app-servlet.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

app-servlet.xml APP-servlet.xml中

<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->

<!-- Enables the Spring MVC @Controller programming model -->
<annotation-driven />

<context:component-scan base-package="nz.co.schola.sms.web.tech" />

<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />

<!-- Resolves views selected for rendering by @Controllers to .jsp resources in the /WEB-INF/views directory -->
<beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <beans:property name="prefix" value="/WEB-INF/views/" />
    <beans:property name="suffix" value=".jsp" />
</beans:bean>   

<beans:bean class="org.springframework.web.servlet.view.ContentNegotiatingViewResolver">
    <beans:property name="order" value="1" />
    <beans:property name="mediaTypes">
        <beans:map>
            <beans:entry key="json" value="application/json" />
            <beans:entry key="xml" value="application/xml" />               
        </beans:map>
    </beans:property>

    <beans:property name="defaultViews">
        <beans:list>
            <!-- JSON View -->
            <beans:bean class="org.springframework.web.servlet.view.json.MappingJacksonJsonView" />
        </beans:list>
    </beans:property>
</beans:bean>

Controller class 控制器类

@Controller
public class CustomController {

    @RequestMapping(value = "/wos/student/{stid}/school/{scid}", method = RequestMethod.GET)
    public @ResponseBody JsonFormatClass getWeeksOfSchooling(@PathVariable("stid") String stid, @PathVariable("scid") String scid) {

        //some logic

        return new JsonFormatClass();
    }
}

In my Spring security application context I have clearly defined the intercept-url to grant anonymous access to the method 在我的Spring安全应用程序上下文中，我已经明确定义了intercept-url以授予对该方法的匿名访问

applicationContext-security.xml 的applicationContext-security.xml文件

  <security:http auto-config="false" entry-point-ref="formAuthenticationEntryPoint">
    <!-- Uses a custom form filter to accommodate the userspace -->
    <security:custom-filter position="FORM_LOGIN_FILTER" ref="userspaceAwareFormLoginFilter" /> 
    <security:anonymous />
    <security:logout />

    <!-- Workaround for RichFaces automatically including skinning CSS on login page, even though unused -->
    <security:intercept-url pattern="/a4j/**" access="ROLE_ANONYMOUS,ROLE_USER" />
    <!-- Richfaces skinning also uses images and some additional stylesheets... -->
    <security:intercept-url pattern="/css/**" access="ROLE_ANONYMOUS,ROLE_USER" />
    <security:intercept-url pattern="/errorViewExpired.jsp" access="ROLE_ANONYMOUS,ROLE_USER" />
    <security:intercept-url pattern="/images/**" access="ROLE_ANONYMOUS,ROLE_USER" />
    <security:intercept-url pattern="/js/**" access="ROLE_ANONYMOUS,ROLE_USER" />
    <security:intercept-url pattern="/login.faces" access="ROLE_ANONYMOUS,ROLE_USER" />

    <security:intercept-url pattern="/srStudentPhoto/**" access="ROLE_ANONYMOUS,ROLE_USER" />

    <security:intercept-url pattern="/accountsreceivable/**" access="ROLE_AR" />
    <security:intercept-url pattern="/assessment/**" access="ROLE_PLANNING_ASSESSMENT, ROLE_ASSESS_MAINTENANCE" />
    <security:intercept-url pattern="/assessmentmaintenance/**" access="ROLE_ASSESS_MAINTENANCE" />
    <security:intercept-url pattern="/attendance/attendanceJobSettings.faces" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/attendance/attendanceMaintenance.faces" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/attendance/attendanceSettings.faces" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/attendance/attendanceSurvey.faces" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/attendance/unmarkedRegisters.faces" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/earlynotification/**" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/enrol/**" access="ROLE_ENROL" />
    <security:intercept-url pattern="/enrolment/**" access="ROLE_STUDENTADMIN" />
    <security:intercept-url pattern="/incident/**" access="ROLE_BEHAVIOURAL_MGMT" />
    <security:intercept-url pattern="/rollreturn/**" access="ROLE_ROLL_RETURN" />
    <security:intercept-url pattern="/school/schoolYearSettings.faces" access="ROLE_STUDENTADMIN, ROLE_CUSTOMER_SERVICE" />
    <security:intercept-url pattern="/schooladmin/peopleSearch.faces" access="ROLE_USER_MAINTENANCE, ROLE_USER_ADMIN" />
    <security:intercept-url pattern="/schooladmin/maintainPerson.faces" access="ROLE_USER_MAINTENANCE, ROLE_USER_ADMIN" />
    <security:intercept-url pattern="/schooladmin/maintainPersonRoles.faces" access="ROLE_USER_MAINTENANCE, ROLE_USER_ADMIN" />
    <security:intercept-url pattern="/schooladmin/peopleSearch.faces" access="ROLE_USER_MAINTENANCE, ROLE_USER_ADMIN" />
    <security:intercept-url pattern="/schooladmin/groupList.faces" access="ROLE_USER" />
    <security:intercept-url pattern="/schooladmin/groupMaintenance.faces" access="ROLE_USER" />

    <security:intercept-url pattern="/schooladmin/**" access="ROLE_SCHOOLADMIN" />
    <security:intercept-url pattern="/student/add.faces" access="ROLE_STUDENTADMIN" />
    <!-- Should only be accessible by Teachers, but current model does not allow for this -->
    <security:intercept-url pattern="/student/createLearningObservation.faces" access="ROLE_USER" />
    <security:intercept-url pattern="/utils/**" access="ROLE_UTILITIES" />

    <security:intercept-url pattern="/customerservice/**" access="ROLE_CUSTSVC_SUPER, ROLE_CUSTOMER_SERVICE" />

    <security:intercept-url pattern="/**" access="ROLE_USER" />

    <security:intercept-url pattern="/assessments/**" access="ROLE_ANONYMOUS,ROLE_USER" />
  </security:http>

I can perfectly access the method and get a result using -- IF ONLY I'M AUTHENTICATED otherwise it redirects me to the login page. 我可以完美地访问该方法并使用- 如果仅获得我的授权，则可以得到结果，否则它会将我重定向到登录页面。

http://localhost:8080:/MyOwnApp/assessments/wos/student/45345345/school/345343

So what I'm doing wrong here? 所以我在这里做错了吗？

Thanks. 谢谢。

Answer 1

There is no matching intercept-url for your controller under 您的控制器下没有匹配的拦截URL

/wos/student/{stid}/school/{scid}

If i assume that /wos is the name of your servlet then you'll need an intercept-url for /student/** with access ROLE_ANONYMOUS . 如果我假设/wos是您的servlet的名称，那么您将需要具有访问权限ROLE_ANONYMOUS /student/**的拦截URL。

But you only have 但是你只有

<security:intercept-url pattern="/student/add.faces" access="ROLE_STUDENTADMIN" />
<security:intercept-url pattern="/student/createLearningObservation.faces" access="ROLE_USER" />

The final matching intercept-url is 最终匹配的拦截URL是

<security:intercept-url pattern="/**" access="ROLE_USER" />

Hence you can access your controller only authenticated. 因此，您只能访问经过身份验证的控制器。

春季安全| 授予匿名用户访问权限的问题

问题描述

1 个解决方案

解决方案1
1 已采纳 2014-03-05 15:28:16

春季安全| 授予匿名用户访问权限的问题

问题描述

1 个解决方案

解决方案1 1 已采纳 2014-03-05 15:28:16

解决方案1
1 已采纳 2014-03-05 15:28:16