当前位置: 文江博客话题详情

Spring Security配置导致永久认证请求

发布于 2024-09-03 00:24:13 字数 6516 浏览 4 评论 0原文

我已经使用以下配置文件配置了我的网络应用程序:

 <beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />

<!--
    Filter chain; this is referred to from the web.xml file. Each filter
    is defined and configured as a bean later on.
-->
<!-- Note: anonumousProcessingFilter removed. -->
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
    <security:filter-chain-map path-type="ant">
        <security:filter-chain pattern="/**"
            filters="securityContextPersistenceFilter,
                basicAuthenticationFilter,
                exceptionTranslationFilter,
                filterSecurityInterceptor" />
    </security:filter-chain-map>
</bean>

<!--
    This filter is responsible for session management, or rather the lack
    thereof.
-->
<bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    <property name="securityContextRepository">
        <bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
            <property name="allowSessionCreation" value="false" />
        </bean>
    </property>
</bean>

<!-- Basic authentication filter. -->
<bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>

<!-- Basic authentication entry point. -->
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
    <property name="realmName" value="Ayudo Web Service" />
</bean>

<!--
    An anonymous authentication filter, which is chained after the normal authentication mechanisms and automatically adds an
    AnonymousAuthenticationToken to the SecurityContextHolder if there is no existing Authentication held there.
-->
<!--
    <bean id="anonymousProcessingFilter" class="org.springframework.security.web.authentication.AnonymousProcessingFilter">
    <property name="key" value="ayudo" /> <property name="userAttribute" value="anonymousUser, ROLE_ANONYMOUS" /> </bean>
-->

<!--
    Authentication manager that chains our main authentication provider
    and anonymous authentication provider.
-->
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <property name="providers">
        <list>
            <ref local="daoAuthenticationProvider" />
            <ref local="inMemoryAuthenticationProvider" />
            <!-- <ref local="anonymousAuthenticationProvider" /> -->
        </list>
    </property>
</bean>

<!--
    Main authentication provider; in this case, memory implementation.
-->
<bean id="inMemoryAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="propertiesUserDetails" />
</bean>

<security:user-service id="propertiesUserDetails" properties="classpath:operators.properties" />

<!-- Main authentication provider. -->
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="userDetailsService" />
</bean>

<!--
    An anonymous authentication provider which is chained into the ProviderManager so that AnonymousAuthenticationTokens are
    accepted.
-->
<!--
    <bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
    <property name="key" value="ayudo" /> </bean>
-->

<bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
    <property name="dataSource" ref="dataSource" />
</bean>

<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
    <property name="accessDeniedHandler">
        <bean class="org.springframework.security.web.access.AccessDeniedHandlerImpl" />
    </property>
</bean>

<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <property name="securityMetadataSource">
        <security:filter-security-metadata-source use-expressions="true">
            <security:intercept-url pattern="/*.html" access="permitAll" />
            <security:intercept-url pattern="/version" access="permitAll" />
            <security:intercept-url pattern="/users/activate" access="permitAll" />
            <security:intercept-url pattern="/**" access="isAuthenticated()" />
        </security:filter-security-metadata-source>
    </property>
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
</bean>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <property name="decisionVoters">
        <list>
            <bean class="org.springframework.security.access.vote.RoleVoter" />
            <bean class="org.springframework.security.web.access.expression.WebExpressionVoter" />
        </list>
    </property>
</bean>

一旦我在 tomcat 上运行我的应用程序,我就会收到一个用户名/密码基本身份验证对话框的请求。即使当我尝试访问: localhost:8080/myapp/version(显式设置为 PermitAll)时,我也会收到身份验证请求对话框。帮助!

感谢, 萨米

原文

I have configured my web application with the following config file:

 <beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />

<!--
    Filter chain; this is referred to from the web.xml file. Each filter
    is defined and configured as a bean later on.
-->
<!-- Note: anonumousProcessingFilter removed. -->
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
    <security:filter-chain-map path-type="ant">
        <security:filter-chain pattern="/**"
            filters="securityContextPersistenceFilter,
                basicAuthenticationFilter,
                exceptionTranslationFilter,
                filterSecurityInterceptor" />
    </security:filter-chain-map>
</bean>

<!--
    This filter is responsible for session management, or rather the lack
    thereof.
-->
<bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    <property name="securityContextRepository">
        <bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
            <property name="allowSessionCreation" value="false" />
        </bean>
    </property>
</bean>

<!-- Basic authentication filter. -->
<bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>

<!-- Basic authentication entry point. -->
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
    <property name="realmName" value="Ayudo Web Service" />
</bean>

<!--
    An anonymous authentication filter, which is chained after the normal authentication mechanisms and automatically adds an
    AnonymousAuthenticationToken to the SecurityContextHolder if there is no existing Authentication held there.
-->
<!--
    <bean id="anonymousProcessingFilter" class="org.springframework.security.web.authentication.AnonymousProcessingFilter">
    <property name="key" value="ayudo" /> <property name="userAttribute" value="anonymousUser, ROLE_ANONYMOUS" /> </bean>
-->

<!--
    Authentication manager that chains our main authentication provider
    and anonymous authentication provider.
-->
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <property name="providers">
        <list>
            <ref local="daoAuthenticationProvider" />
            <ref local="inMemoryAuthenticationProvider" />
            <!-- <ref local="anonymousAuthenticationProvider" /> -->
        </list>
    </property>
</bean>

<!--
    Main authentication provider; in this case, memory implementation.
-->
<bean id="inMemoryAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="propertiesUserDetails" />
</bean>

<security:user-service id="propertiesUserDetails" properties="classpath:operators.properties" />

<!-- Main authentication provider. -->
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="userDetailsService" />
</bean>

<!--
    An anonymous authentication provider which is chained into the ProviderManager so that AnonymousAuthenticationTokens are
    accepted.
-->
<!--
    <bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
    <property name="key" value="ayudo" /> </bean>
-->

<bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
    <property name="dataSource" ref="dataSource" />
</bean>

<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
    <property name="accessDeniedHandler">
        <bean class="org.springframework.security.web.access.AccessDeniedHandlerImpl" />
    </property>
</bean>

<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <property name="securityMetadataSource">
        <security:filter-security-metadata-source use-expressions="true">
            <security:intercept-url pattern="/*.html" access="permitAll" />
            <security:intercept-url pattern="/version" access="permitAll" />
            <security:intercept-url pattern="/users/activate" access="permitAll" />
            <security:intercept-url pattern="/**" access="isAuthenticated()" />
        </security:filter-security-metadata-source>
    </property>
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
</bean>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <property name="decisionVoters">
        <list>
            <bean class="org.springframework.security.access.vote.RoleVoter" />
            <bean class="org.springframework.security.web.access.expression.WebExpressionVoter" />
        </list>
    </property>
</bean>

As soon as I run my application on tomcat, I get a request for username/password basic authentication dialog. Even when I try to access: localhost:8080/myapp/version, which is explicitly set to permitAll, I get the authentication request dialog. Help!

Thank,
Sammy

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

蓝天白云 2024-09-10 00:24:16

您的过滤器链中有 basicAuthenticationFilter ,因此它将尝试对用户进行身份验证。 permitAll 将允许任何用户,但该请求仍然需要在 SecurityContext 中拥有一个用户(从 UserDetailsS​​ervice 中检索)。

如果您希望这些 URI 允许所有访问(即使不验证用户身份),请执行以下操作:

<intercept-url pattern="/version" filters="none"/>

You have the basicAuthenticationFilter in your filter chain therefor it's going to try to authenticate a user. The permitAll will allow any user, but the request still needs to have a user in the SecurityContext (retrieved from your UserDetailsService).

If you want those URI's to allow all access (even without authenticating a user) then do this:

<intercept-url pattern="/version" filters="none"/>
回复 原文
~没有更多了~

关于作者

夏雨凉

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

尘世孤行

文章 0 评论 0

烟─花易冷

文章 0 评论 0

你是年少的欢喜

文章 0 评论 0

倒带

文章 0 评论 0

忱杏

文章 0 评论 0

送君千里

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文