Spring安全性：在3.1中，僅針對'GET'請求繞過安全過濾器

Question

我希望我的服務僅針對傳入的POST/PUT/DELETE請求執行身份驗證，並繞過任何GET請求。 Spring版本低於3.1，具有'filters =「none」'屬性，可用於繞過特定URL模式的所有安全過濾器。在3.1中，「filters =」none「'已棄用，替代解決方案是對」http「元素使用'security =」none「'屬性。這不支持基於請求類型（GET/PUT/POST/DELETE）的配置。

我使用Spring 3.1.1和當前配置是如下：

<!-- Just un-comment any resource if you don't want authentication to be done on them --> 
<http pattern="/base/version" security="none"/> 

<!-- Secure resources --> 
<http create-session='stateless' entry-point-ref="tokenAuthenticationEntryPoint"> 
    <custom-filter position="PRE_AUTH_FILTER" ref="tokenAuthenticationFilter" /> 
    <intercept-url pattern="/v1/abc/**" method="GET" filters="none"/> //This doesn’t work currently 
    <intercept-url pattern="/v1/abc/**" method="POST" access="ROLE_USER"/> 
    <intercept-url pattern="/v1/abc/**" method="PUT" access="ROLE_USER"/> 
    <intercept-url pattern="/v1/abc/**" method="DELETE" access="ROLE_USER"/> 
    <intercept-url pattern="/**" access="ROLE_USER" /> 
</http> 

我怎樣才能繞過安全過濾器模式= 「/ V1/ABC/**」 的方法= 「GET」在Spring 3.1中？

Answer 1

我找到了解決問題的方法 - 使用基於表達式的訪問控制，我使用access =「permitAll」，它配置授權而不禁用過濾器。

<!-- Just un-comment any resource if you don't want authentication to be done on them --> 
<http pattern="/base/version" security="none"/> 

<!-- Secure resources --> 
<http create-session='stateless' entry-point-ref="tokenAuthenticationEntryPoint" use- expressions="true"> 
    <custom-filter position="PRE_AUTH_FILTER" ref="tokenAuthenticationFilter" /> 
    <intercept-url pattern="/v1/abc/**" method="GET" access="permitAll"/> 
    <intercept-url pattern="/v1/abc/**" method="POST" access="hasRole('ROLE_USER')"/> 
    <intercept-url pattern="/v1/abc/**" method="PUT" access="hasRole('ROLE_USER')"/> 
    <intercept-url pattern="/v1/abc/**" method="DELETE" access="hasRole('ROLE_USER')"/> 
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> 
</http>