Spring Security匿名用戶可以訪問每個URL

Question

我正在開發gwt應用程序，我希望使用spring-security來保護它。 我在數據庫中有用戶數據，UserService負責獲取特定用戶。 我已經按照本教程

的AuthenticationProvider：

public class CustomAuthenticationProvider implements AuthenticationProvider {

    @Autowired UserService userService;

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String username = (String) authentication.getPrincipal();
        String password = (String) authentication.getCredentials();

        User user = userService.findByUserName(username);
        if (user == null) {
            throw new UsernameNotFoundException("User not found");
        }
        String storedPass = user.getPassword();
        if (!storedPass.equals(password)) {
            throw new BadCredentialsException("Invalid password");
        }
        Authentication customAuthentication = new CustomUserAuthentication(user, authentication);
        customAuthentication.setAuthenticated(true);

        return customAuthentication;
    }

   @Override
   public boolean supports(Class<?> authentication) {
      return     UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
   }
}

CustomAuthentication

    public class CustomUserAuthentication implements Authentication {

        private static final long serialVersionUID = -3091441742758356129L;

        private boolean authenticated;

        private final GrantedAuthority grantedAuthority;
        private final Authentication authentication;
        private final User user;

        public CustomUserAuthentication(User user, Authentication authentication) {
            this.grantedAuthority = new SimpleGrantedAuthority(user.getRole().name());
            this.authentication = authentication;
            this.user = user;
        }

        @Override
        public Collection<GrantedAuthority> getAuthorities() {
            Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
            authorities.add(grantedAuthority);
            return authorities;
        }

        @Override
        public Object getCredentials() {
            return authentication.getCredentials();
        }

        @Override
        public Object getDetails() {
            return authentication.getDetails();
        }

        @Override
        public Object getPrincipal() {
            return user;
        }

        @Override
        public boolean isAuthenticated() {
            return authenticated;
        }

        @Override
        public void setAuthenticated(boolean authenticated) throws IllegalArgumentException {
            this.authenticated = authenticated;
        }

        @Override
        public String getName() {
            return user.getUsername();
        }

    }  

安全背景：

<s:http auto-config="true" create-session="always" >
    <s:intercept-url pattern="/index.html" access="ROLE_USER" />
    <s:logout logout-success-url="/login.html"/>
    <s:form-login login-page="/login.html" default-target-url="/index.html" authentication-failure-url="/login.html" />
</s:http>

<s:authentication-manager alias="authenticationManager">
    <s:authentication-provider ref="customAuthenticationProvider" />
</s:authentication-manager>

<bean id="customAuthenticationProvider" class="com.example.server.security.CustomAuthenticationProvider" />

一切正常，彈簧攔截調用index.html我需要記錄，它將我重定向回index.html。 問題是，當我退出然后再次訪問index.html時，我只是簡單地訪問它。 我發現：

    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    System.out.println("Logged as: " + auth.getName()); 

注銷后打印anonymousUser。 當我再次登錄時，此代碼打印我的用戶名，因此我認為攔截匿名用戶有問題。 有誰知道如何攔截匿名用戶？

Answer 1

代替：

 <s:intercept-url pattern="/**" access="ROLE_USER" />

您可以使用：

<s:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY,ROLE_USER" />

這應該使Spring Security拒絕訪問匿名用戶。 當然，這意味着您還需要添加其中一個：

<s:intercept-url pattern="/url_that_should_be_accessible_to_anonymous_user" access="IS_AUTHENTICATED_ANONYMOUSLY" />

對於匿名用戶應該能夠訪問的每種模式。 通常，登錄頁面，錯誤頁面，靜態資源（圖像，PDF等）。