[英]When SecurityContextHolder.setContext() is invoked?
I have a trouble with SecurityContextHolder.getContext().getAuthentication()
which is null. 我遇到的问题是
SecurityContextHolder.getContext().getAuthentication()
为null。 I have tried a lot of combination with annotations and examples. 我已经尝试了许多与注释和示例的组合。 (code from site does not work in my application, do not know why yet).
(来自网站的代码在我的应用程序中不起作用,不知道为什么)。
So for now I get org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
. 所以现在我得到
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
。 If you look at sources you spot that getAuthentification
is delegated to SecurityContextHolderStrategy
which thread local field and populated during SecurityContextHolder
initialization. 如果您查看源代码,您会发现
getAuthentification
被委托给SecurityContextHolderStrategy
,它会在SecurityContextHolder
初始化期间填充本地字段并填充。 Anybody know when spring security should "populate" it with authentification? 有人知道春天的安全应该用认证“填充”它吗? (in servlet filter, before method invocation, etc.)
(在servlet过滤器中,在方法调用之前等)
UPDATED 更新
Security configuration is: 安全配置是:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@EnableGlobalAuthentication
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/rest/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
RestController RestController
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class SecurityChecker {
@PreAuthorize("isAuthenticated()")
@RequestMapping("/allow")
public String allow() {
return "{\"status\" : \"ok\"}";
}
@PreAuthorize("isAnonymous()")
@RequestMapping("/anonymous")
public String anonymous() {
return "{\"status\" : \"anonymous\"}";
}
}
Application initializer 应用初始化器
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[]{AppConfiguration.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class[]{SecurityConfiguration.class};
}
@Override
protected String[] getServletMappings() {
return new String[]{"/rest/*"};
}
AppConfiguration
contains some code for data source, entityManager and transactionManager config for sprng data rest. AppConfiguration
包含一些代码用于数据源,entityManager和transactionManager配置用于sprng数据休息。
Request to /rest/allow
url result in exception org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
请求
/rest/allow
url导致异常org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
Note 注意
Form authorization config may be not correct, I tried to replace it with basic auth, but anyway I should get unauthorized response instead fo exception. 表单授权配置可能不正确,我试图用基本身份验证替换它,但无论如何我应该得到未经授权的响应而不是异常。
Versions 版本
Spring is 4.0.5.RELEASE
, spring security is 4.0.2.RELEASE
. Spring是
4.0.5.RELEASE
,春季安全性是4.0.2.RELEASE
。
The solution for fixing spring security was very simple just add: 修复弹簧安全性的解决方案非常简单,只需添加:
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {}
and move SecurityConfiguration.class
to getRootConfigClasses()
method. 并将
SecurityConfiguration.class
移动到getRootConfigClasses()
方法。
And everything works! 一切正常! :)
:)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.