我检查了几个博客/doc/stackoverflow 论坛条目,但我仍然不知道我做错了什么。
我想向任何人授予对 URL 的访问权限。这permitAll
不起作用,因为我有自定义过滤器。所以我想创建一个单独的http
元素并使用security="none"
设置但到目前为止还没有成功。
<security:http pattern="/status" security="none"/>
<!-- ******************** rules with encryption and HMAC authentication ******************** -->
<security:http create-session="stateless" use-expressions="true" authentication-manager-ref="authenticationManager" auto-config="true" entry-point-ref="http403EntryPoint" pattern="/**">
<!-- HMAC only -->
<security:intercept-url pattern="/utils/logheaderpattern/check" access="authenticated" />
<security:intercept-url pattern="/executionflow/approve" access="authenticated" />
<security:intercept-url pattern="/executionflow/approve_and_forced_start" access="authenticated" />
<security:intercept-url pattern="/utils/maintenancewindow/next/**" access="authenticated" />
<security:intercept-url pattern="/executionflow/start/manual" access="authenticated" />
<security:intercept-url pattern="/executionflow/start/eventlife" access="authenticated" />
<security:intercept-url pattern="/executionflow/skip/eventlife" access="authenticated" />
<security:intercept-url pattern="/executionflow/start/scheduled" access="authenticated" />
<security:intercept-url pattern="/utils/cron/nextrun" access="authenticated" />
<!-- HMAC and encryption (set in encryptionFilter) -->
<security:intercept-url pattern="/worker/command/**" access="authenticated" />
<security:intercept-url pattern="/worker/event" access="authenticated" />
<security:intercept-url pattern="/worker/system/**" access="authenticated" />
<!-- deny all others -->
<security:intercept-url pattern="/**" access="denyAll" />
<security:csrf disabled="true" />
<security:custom-filter ref="encryptionFilter" before="FORM_LOGIN_FILTER"/>
<security:custom-filter ref="hmacAuthenticationFilter" after="FORM_LOGIN_FILTER"/>
</security:http>
<!-- ******************** Defining the authentication manager ******************** -->
<security:authentication-manager erase-credentials="false" id="authenticationManager">
<security:authentication-provider user-service-ref="fileBasedUserDetailsService">
</security:authentication-provider>
</security:authentication-manager>
和控制器:
@Controller
public class WebController {
@RequestMapping(value = "/status", method = RequestMethod.GET)
public String redirect() {
return "redirect:/pages/status.html";
}
}
和 Spring Boot 初始化器
@Configuration
@ImportResource({"classpath:applicationContext.xml", "classpath:securityContext.xml"})
@ComponentScan(basePackages = {"org.reaction.engine.controller",
"org.reaction.engine.persistence.service",
"org.reaction.engine.persistence.converter",
"org.reaction.engine.service",
"org.reaction.engine.scheduling.utils"})
@EnableAutoConfiguration
public class WebInitializer extends SpringBootServletInitializer implements WebApplicationInitializer {
@Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return application.sources(WebInitializer.class);
}
public static void main(String[] args) throws Exception {
SpringApplication.run(WebInitializer.class, args);
}
}
我不断得到
2018-01-15 16:04:02.676 ERROR [org.springframework.boot.web.support.ErrorPageFilter:176] - Forwarding to error page from request [/status] due to exception [An Authentication object was not found in the SecurityContext]
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:379)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:223)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
例外。任何想法?