如何在Spring Security中获得permitAll而不在@Controller对象中抛出AuthenticationCredentialsNotFoundException?
我有一个具有许多操作的控制器,它指定了默认的类级 @PreAuthorize 注释,但我想让任何人都可以进入其中一个操作(“显示”操作)。
@RequestMapping("/show/{pressReleaseId}")
@PreAuthorize("permitAll")
public ModelAndView show(@PathVariable long pressReleaseId) {
ModelAndView modelAndView = new ModelAndView(view("show"));
modelAndView.addObject("pressRelease",
sysAdminService.findPressRelease(pressReleaseId));
return modelAndView;
}
不幸的是,Spring Security 抛出了这个异常:
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:321)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:195)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64)
How can I get Spring Security to NOT throw this exception?我只想让任何人 - 未经身份验证的用户和经过身份验证的用户 - 每个人。
我唯一的解决方案是将此方法完全放入另一个控制器中,而根本没有@PreAuthorize...这会起作用,但这是愚蠢的。我想将所有新闻稿操作保留在同一个控制器中。
感谢您的帮助!
I have a controller that has many actions and it specifies a default class-level @PreAuthorize annotation, but one of the actions I want to let anyone in (the "show" action).
@RequestMapping("/show/{pressReleaseId}")
@PreAuthorize("permitAll")
public ModelAndView show(@PathVariable long pressReleaseId) {
ModelAndView modelAndView = new ModelAndView(view("show"));
modelAndView.addObject("pressRelease",
sysAdminService.findPressRelease(pressReleaseId));
return modelAndView;
}
Unfortunately, Spring Security throws this exception:
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:321)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:195)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64)
How can I get Spring Security to NOT throw this exception? I just want to let anyone in - non-authenticated users and authenticated users - Everyone.
My only solution is to put this method into another controller altogether with no @PreAuthorize at all... which will work, but that's stupid. I want to keep all my press release actions in the same controller.
Thanks for the help!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我猜您没有启用匿名身份验证过滤器。
如果您使用命名空间配置和
auto-config = "true",则默认情况下应启用它。如果您不使用自动配置,则可以启用匿名过滤器:I guess you don't have anonymouse authentication filter enabled.
If you use namespace configuration and
auto-config = "true", it should be enabled by default. If you don't use auto-config, you can enable anonymous filter as<security:anonymous />.允许任何人访问控制器方法的正常方法是不使用任何 Spring Security 注释对其进行注释;即没有
@PreAuthorize没有@Secured等。您应该能够简单地从
show()中删除@PreAuthorize> 方法,任何在该控制器中的其他方法上留下注释。无论您如何使用show()方法,其他方法都将保持安全。The normal way to allow anyone to access a controller method is to not annotate it with any Spring Security annotations; ie no
@PreAuthorizeno@Securedetc.You should be able to simply remove
@PreAuthorizefrom theshow()method, any leave the annotation on the other methods in that controller. The other methods will remain secured regardless of what you do with theshow()method.默认值随着 Spring Security 插件的较新版本(版本 2)而更改。这意味着默认情况下所有控制器都是安全的(您需要登录才能查看它们)。删除 @Secured 根本不起作用,它仍然会保持安全状态。您可以更改此默认行为,但对我来说,新的默认行为很有意义,因为它更安全。安全非常重要。
我只
用于我的控制器,但它也应该适用于方法。
The default changed with a newer version (version 2) of the spring security plugin. That means all controllers are secured by default (you need to login to see them). Removing @Secured will not work at all, it will still stay secured. You can change this default behaviour, but to me the new default behaviour makes sense because it is much more secure. And security is very important.
I only use
for my controller, but it should also work for a method.