java - Spring 安全|授予匿名用户访问权限的问题

标签 java spring security spring-mvc spring-security

我正在尝试向根据 Spring 实现的某个 REST 方法授予访问权限。 [记住这是一个具有现有 Spring 配置的现有应用程序]

我的问题是,如果未经身份验证,我将无法访问此方法。这是我的配置

web.xml

<servlet>
    <servlet-name>appServlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/app-servlet.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

app-servlet.xml

<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->

<!-- Enables the Spring MVC @Controller programming model -->
<annotation-driven />

<context:component-scan base-package="nz.co.schola.sms.web.tech" />

<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />

<!-- Resolves views selected for rendering by @Controllers to .jsp resources in the /WEB-INF/views directory -->
<beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <beans:property name="prefix" value="/WEB-INF/views/" />
    <beans:property name="suffix" value=".jsp" />
</beans:bean>   

<beans:bean class="org.springframework.web.servlet.view.ContentNegotiatingViewResolver">
    <beans:property name="order" value="1" />
    <beans:property name="mediaTypes">
        <beans:map>
            <beans:entry key="json" value="application/json" />
            <beans:entry key="xml" value="application/xml" />               
        </beans:map>
    </beans:property>

    <beans:property name="defaultViews">
        <beans:list>
            <!-- JSON View -->
            <beans:bean class="org.springframework.web.servlet.view.json.MappingJacksonJsonView" />
        </beans:list>
    </beans:property>
</beans:bean>

Controller class

@Controller
public class CustomController {

    @RequestMapping(value = "/wos/student/{stid}/school/{scid}", method = RequestMethod.GET)
    public @ResponseBody JsonFormatClass getWeeksOfSchooling(@PathVariable("stid") String stid, @PathVariable("scid") String scid) {

        //some logic

        return new JsonFormatClass();
    }
}

在我的 Spring 安全应用程序上下文中,我明确定义了拦截 url 以授予对该方法的匿名访问

applicationContext-security.xml

  <security:http auto-config="false" entry-point-ref="formAuthenticationEntryPoint">
    <!-- Uses a custom form filter to accommodate the userspace -->
    <security:custom-filter position="FORM_LOGIN_FILTER" ref="userspaceAwareFormLoginFilter" /> 
    <security:anonymous />
    <security:logout />

    <!-- Workaround for RichFaces automatically including skinning CSS on login page, even though unused -->
    <security:intercept-url pattern="/a4j/**" access="ROLE_ANONYMOUS,ROLE_USER" />
    <!-- Richfaces skinning also uses images and some additional stylesheets... -->
    <security:intercept-url pattern="/css/**" access="ROLE_ANONYMOUS,ROLE_USER" />
    <security:intercept-url pattern="/errorViewExpired.jsp" access="ROLE_ANONYMOUS,ROLE_USER" />
    <security:intercept-url pattern="/images/**" access="ROLE_ANONYMOUS,ROLE_USER" />
    <security:intercept-url pattern="/js/**" access="ROLE_ANONYMOUS,ROLE_USER" />
    <security:intercept-url pattern="/login.faces" access="ROLE_ANONYMOUS,ROLE_USER" />

    <security:intercept-url pattern="/srStudentPhoto/**" access="ROLE_ANONYMOUS,ROLE_USER" />

    <security:intercept-url pattern="/accountsreceivable/**" access="ROLE_AR" />
    <security:intercept-url pattern="/assessment/**" access="ROLE_PLANNING_ASSESSMENT, ROLE_ASSESS_MAINTENANCE" />
    <security:intercept-url pattern="/assessmentmaintenance/**" access="ROLE_ASSESS_MAINTENANCE" />
    <security:intercept-url pattern="/attendance/attendanceJobSettings.faces" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/attendance/attendanceMaintenance.faces" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/attendance/attendanceSettings.faces" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/attendance/attendanceSurvey.faces" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/attendance/unmarkedRegisters.faces" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/earlynotification/**" access="ROLE_ATTEND" />
    <security:intercept-url pattern="/enrol/**" access="ROLE_ENROL" />
    <security:intercept-url pattern="/enrolment/**" access="ROLE_STUDENTADMIN" />
    <security:intercept-url pattern="/incident/**" access="ROLE_BEHAVIOURAL_MGMT" />
    <security:intercept-url pattern="/rollreturn/**" access="ROLE_ROLL_RETURN" />
    <security:intercept-url pattern="/school/schoolYearSettings.faces" access="ROLE_STUDENTADMIN, ROLE_CUSTOMER_SERVICE" />
    <security:intercept-url pattern="/schooladmin/peopleSearch.faces" access="ROLE_USER_MAINTENANCE, ROLE_USER_ADMIN" />
    <security:intercept-url pattern="/schooladmin/maintainPerson.faces" access="ROLE_USER_MAINTENANCE, ROLE_USER_ADMIN" />
    <security:intercept-url pattern="/schooladmin/maintainPersonRoles.faces" access="ROLE_USER_MAINTENANCE, ROLE_USER_ADMIN" />
    <security:intercept-url pattern="/schooladmin/peopleSearch.faces" access="ROLE_USER_MAINTENANCE, ROLE_USER_ADMIN" />
    <security:intercept-url pattern="/schooladmin/groupList.faces" access="ROLE_USER" />
    <security:intercept-url pattern="/schooladmin/groupMaintenance.faces" access="ROLE_USER" />

    <security:intercept-url pattern="/schooladmin/**" access="ROLE_SCHOOLADMIN" />
    <security:intercept-url pattern="/student/add.faces" access="ROLE_STUDENTADMIN" />
    <!-- Should only be accessible by Teachers, but current model does not allow for this -->
    <security:intercept-url pattern="/student/createLearningObservation.faces" access="ROLE_USER" />
    <security:intercept-url pattern="/utils/**" access="ROLE_UTILITIES" />

    <security:intercept-url pattern="/customerservice/**" access="ROLE_CUSTSVC_SUPER, ROLE_CUSTOMER_SERVICE" />

    <security:intercept-url pattern="/**" access="ROLE_USER" />

    <security:intercept-url pattern="/assessments/**" access="ROLE_ANONYMOUS,ROLE_USER" />
  </security:http>

我可以完美地访问该方法并使用 --IF ONLY IM AUTHENTICATED 获得结果,否则它会将我重定向到登录页面。

http://localhost:8080:/MyOwnApp/assessments/wos/student/45345345/school/345343

那么我在这里做错了什么?

谢谢。

最佳答案

下面没有与您的 Controller 匹配的拦截 URL

/wos/student/{stid}/school/{scid}

如果我假设 /wos 是您的 servlet 的名称,那么您将需要一个具有 ROLE_ANONYMOUS 访问权限的 /student/** 的拦截 URL

但你只有

<security:intercept-url pattern="/student/add.faces" access="ROLE_STUDENTADMIN" />
<security:intercept-url pattern="/student/createLearningObservation.faces" access="ROLE_USER" />

最终匹配的intercept-url为

<security:intercept-url pattern="/**" access="ROLE_USER" />

因此,您只能通过身份验证才能访问您的 Controller 。

关于java - Spring 安全|授予匿名用户访问权限的问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/22200057/

上一篇:java - 如何改变lwjgl纹理的颜色

下一篇:java - Jax-RS 从 byte[] 生成图像

相关文章:

security - 使用本地服务器为程序提供基于浏览器的 GUI 会带来哪些安全风险?

node.js - Node-js 服务器安全性,带有反应 native 客户端

java - Apache Kafka : 3 partitions, 消费者组中有3个消费者,每个消费者应该是多线程的

java - 启用具有 JWT 安全性的 Spring Boot 2.0 Actuator 端点

java - 从Python服务器到Android客户端的图像数据丢失(Endian问题??)

java - Spring 交易不起作用?

Spring PropertyPlaceholderConfigurer 未读取默认属性

security - 首次设置 AWS EB 时创建的默认安全组是什么?

java - hibernate 事务没有正确回滚

java - MyBatis 将属性映射到错误的 Enum

©2024 IT工具网  联系我们