这是我的主 Controller :
package org.demian.demibox.controllers;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class MainController {
private String getUsername() {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth.isAuthenticated())
return auth.getName();
else
return null;
}
@RequestMapping(value = "/", method = RequestMethod.GET)
public String showHome() {
String username = getUsername();
System.out.println(username);
if (username == null || username.length() == 0)
return "welcome";
return "index";
}
}
即使我没有登录,auth.isAuthenticated() 总是返回 true。这是为什么? auth.isAuthenticated() 什么时候返回 false?如果我未登录,则经过身份验证的用户的名称为 anonymousUser,如果我已登录,则为用户名。
编辑
这是我的 security-context.xml 文件:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource" id="jdbcUserService" />
<!-- <security:password-encoder ref="passwordEncoder" /> -->
</security:authentication-provider>
</security:authentication-manager>
<security:http use-expressions="true">
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/redeem" access="permitAll" />
<security:intercept-url pattern="/redeem_code" access="permitAll" />
<security:intercept-url pattern="/static/**" access="permitAll" />
<security:intercept-url pattern="/*" access="isAuthenticated()" />
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:intercept-url pattern="/**" access="denyAll" />
<security:form-login login-page="/login" authentication-failure-url="/login?error=true" />
<security:logout logout-success-url="/" />
<security:remember-me key="offersAppKey" user-service-ref="jdbcUserService" />
</security:http>
<security:global-method-security secured-annotations="enabled" />
<!-- <bean id="passwordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" /> -->
</beans>
web.xml 文件中有以下几行:
<filter>
<display-name>springSecurityFilterChain</display-name>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
我正在通过 Maven 使用 Tomcat 8.0 和所有最新的依赖项。
最佳答案
这就是 spring-security 默认的工作方式。
来自 the docs :
Note that there is no real conceptual difference between a user who is "anonymously authenticated" and an unauthenticated user. Spring Security’s anonymous authentication just gives you a more convenient way to configure your access-control attributes. Calls to servlet API calls such as
getCallerPrincipal, for example, will still return null even though there is actually an anonymous authentication object in theSecurityContextHolder.There are other situations where anonymous authentication is useful, such as when an auditing interceptor queries the
SecurityContextHolderto identify which principal was responsible for a given operation. Classes can be authored more robustly if they know theSecurityContextHolderalways contains anAuthenticationobject, and never null.
如果你需要检查它是否是一个 anonymousUser 那么你可以检查 Authentication 对象是否是 AnonymousAuthenticationToken 实例。
关于spring - 为什么在 Spring Security 中对 'anonymousUser' 进行了身份验证?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/26101738/