I have an application that has two REST endpoints:
For the first endpoint i don't want to send the "Authorization" header. For this, I configure the following xml:
<security:intercept-url pattern="/api/products" method="GET" access="permitAll"/>
And for the second endpoint I do want to send the "Authorization" header. So, I configure this xml:
<security:intercept-url pattern="/api/products" method="POST" access="hasRole('ROLE_ADMIN')"/>
For my surprise GET /api/products is requiring an "Authorization" header and it returns 401. And POST /api/products works very nice. I just send an "Authorization" header with a valid value and everything goes well.
I realize that using <security:intercept-url>
with access="permitAll" does not disable the need of "Authorization" header, is that correct ? If so, what kind of configuration I can setup for achieve my goal ?
I am using Spring Security 4
您应该只删除<security:intercept-url pattern="/api/products" method="GET" access="permitAll"/>
并且不为/api/products
GET
资源指定任何安全配置。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.