![](/img/trans.png)
[英]Setting SecurityContextHolder.setContext(…) to a mock carries across to different test classes even with @DirtiesContext
[英]When SecurityContextHolder.setContext() is invoked?
我遇到的问题是SecurityContextHolder.getContext().getAuthentication()
为null。 我已经尝试了许多与注释和示例的组合。 (来自网站的代码在我的应用程序中不起作用,不知道为什么)。
所以现在我得到org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
。 如果您查看源代码,您会发现getAuthentification
被委托给SecurityContextHolderStrategy
,它会在SecurityContextHolder
初始化期间填充本地字段并填充。 有人知道春天的安全应该用认证“填充”它吗? (在servlet过滤器中,在方法调用之前等)
更新
安全配置是:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@EnableGlobalAuthentication
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/rest/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
RestController
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class SecurityChecker {
@PreAuthorize("isAuthenticated()")
@RequestMapping("/allow")
public String allow() {
return "{\"status\" : \"ok\"}";
}
@PreAuthorize("isAnonymous()")
@RequestMapping("/anonymous")
public String anonymous() {
return "{\"status\" : \"anonymous\"}";
}
}
应用初始化器
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[]{AppConfiguration.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class[]{SecurityConfiguration.class};
}
@Override
protected String[] getServletMappings() {
return new String[]{"/rest/*"};
}
AppConfiguration
包含一些代码用于数据源,entityManager和transactionManager配置用于sprng数据休息。
请求/rest/allow
url导致异常org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
注意
表单授权配置可能不正确,我试图用基本身份验证替换它,但无论如何我应该得到未经授权的响应而不是异常。
版本
Spring是4.0.5.RELEASE
,春季安全性是4.0.2.RELEASE
。
修复弹簧安全性的解决方案非常简单,只需添加:
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {}
并将SecurityConfiguration.class
移动到getRootConfigClasses()
方法。
一切正常! :)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.