我遇到了 SecurityContextHolder.getContext().getAuthentication() 的问题,它是 null。我尝试了很多与注释和示例的组合。 (来自站点的代码在我的应用程序中不起作用,还不知道为什么)。
所以现在我得到 org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext。如果你看sources你发现 getAuthentification 被委托(delegate)给 SecurityContextHolderStrategy 线程本地字段并在 SecurityContextHolder 初始化期间填充。有人知道 spring security 什么时候应该通过身份验证“填充”它吗? (在 servlet 过滤器中,在方法调用之前等)
已更新
安全配置是:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@EnableGlobalAuthentication
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/rest/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
休息 Controller
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class SecurityChecker {
@PreAuthorize("isAuthenticated()")
@RequestMapping("/allow")
public String allow() {
return "{\"status\" : \"ok\"}";
}
@PreAuthorize("isAnonymous()")
@RequestMapping("/anonymous")
public String anonymous() {
return "{\"status\" : \"anonymous\"}";
}
}
应用初始化
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[]{AppConfiguration.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class[]{SecurityConfiguration.class};
}
@Override
protected String[] getServletMappings() {
return new String[]{"/rest/*"};
}
AppConfiguration 包含一些用于数据源、entityManager 和 transactionManager 配置的代码,用于 sprng 数据 rest。
请求 /rest/allow url 导致异常 org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
注意
表单授权配置可能不正确,我尝试用基本授权替换它,但无论如何我应该得到未经授权的响应而不是异常。
版本
Spring 是 4.0.5.RELEASE,Spring Security 是 4.0.2.RELEASE。
最佳答案
修复 spring security 的解决方案非常简单,只需添加:
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {}
并将 SecurityConfiguration.class 移动到 getRootConfigClasses() 方法。
一切正常! :)
关于java - 何时调用 SecurityContextHolder.setContext()?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/32822776/