何时调用SecurityContextHolder.setContext()?
[英]When SecurityContextHolder.setContext() is invoked?
问题描述
I have a trouble with SecurityContextHolder.getContext().getAuthentication() which is null. 
我遇到的问题是SecurityContextHolder.getContext().getAuthentication()为null。 I have tried a lot of combination with annotations and examples. 我已经尝试了许多与注释和示例的组合。 (code from site does not work in my application, do not know why yet). (来自网站的代码在我的应用程序中不起作用,不知道为什么)。
So for now I get org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext . 所以现在我得到org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext 。 If you look at sources you spot that getAuthentification is delegated to SecurityContextHolderStrategy which thread local field and populated during SecurityContextHolder initialization. 如果您查看源代码,您会发现getAuthentification被委托给SecurityContextHolderStrategy ,它会在SecurityContextHolder初始化期间填充本地字段并填充。 Anybody know when spring security should "populate" it with authentification? 有人知道春天的安全应该用认证“填充”它吗? (in servlet filter, before method invocation, etc.) (在servlet过滤器中,在方法调用之前等)
UPDATED 更新
Security configuration is: 安全配置是:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@EnableGlobalAuthentication
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/rest/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
RestController RestController
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class SecurityChecker {
@PreAuthorize("isAuthenticated()")
@RequestMapping("/allow")
public String allow() {
return "{\"status\" : \"ok\"}";
}
@PreAuthorize("isAnonymous()")
@RequestMapping("/anonymous")
public String anonymous() {
return "{\"status\" : \"anonymous\"}";
}
}
Application initializer 应用初始化器
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[]{AppConfiguration.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class[]{SecurityConfiguration.class};
}
@Override
protected String[] getServletMappings() {
return new String[]{"/rest/*"};
}
AppConfiguration contains some code for data source, entityManager and transactionManager config for sprng data rest. AppConfiguration包含一些代码用于数据源,entityManager和transactionManager配置用于sprng数据休息。
Request to /rest/allow url result in exception org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext 请求/rest/allow url导致异常org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
Note 注意
Form authorization config may be not correct, I tried to replace it with basic auth, but anyway I should get unauthorized response instead fo exception. 表单授权配置可能不正确,我试图用基本身份验证替换它,但无论如何我应该得到未经授权的响应而不是异常。
Versions 版本
Spring is 4.0.5.RELEASE , spring security is 4.0.2.RELEASE . Spring是4.0.5.RELEASE ,春季安全性是4.0.2.RELEASE 。
1 个解决方案
解决方案1
2 已采纳 2015-09-28 20:57:16
The solution for fixing spring security was very simple just add: 修复弹簧安全性的解决方案非常简单,只需添加:
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {}
and move SecurityConfiguration.class to getRootConfigClasses() method. 并将SecurityConfiguration.class移动到getRootConfigClasses()方法。
And everything works! 一切正常! :) :)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.