Spring security permitAll requires Authorization header
Question
I have an application that has two REST endpoints:
- GET /api/products (not secure)
- POST /api/products (secure)
For the first endpoint i don't want to send the "Authorization" header. For this, I configure the following xml:
<security:intercept-url pattern="/api/products" method="GET" access="permitAll"/>
And for the second endpoint I do want to send the "Authorization" header. So, I configure this xml:
<security:intercept-url pattern="/api/products" method="POST" access="hasRole('ROLE_ADMIN')"/>
For my surprise GET /api/products is requiring an "Authorization" header and it returns 401. And POST /api/products works very nice. I just send an "Authorization" header with a valid value and everything goes well.
I realize that using <security:intercept-url> with access="permitAll" does not disable the need of "Authorization" header, is that correct ? If so, what kind of configuration I can setup for achieve my goal ?
I am using Spring Security 4
1 answers
solution1
0 2017-01-19 12:34:41
您应该只删除<security:intercept-url pattern="/api/products" method="GET" access="permitAll"/>并且不为/api/products GET资源指定任何安全配置。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.