0
我試圖授予對根據Spring實現的某個REST方法的訪問權限。 [記住這是一個現有的應用程序與現有的彈簧配置]春季安全|授予訪問匿名用戶的問題
我的問題是,我不能訪問此方法,如果我沒有進行身份驗證。這裏是我的配置
的web.xml
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/app-servlet.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
APP-servlet.xml中
<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->
<!-- Enables the Spring MVC @Controller programming model -->
<annotation-driven />
<context:component-scan base-package="nz.co.schola.sms.web.tech" />
<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by @Controllers to .jsp resources in the /WEB-INF/views directory -->
<beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp" />
</beans:bean>
<beans:bean class="org.springframework.web.servlet.view.ContentNegotiatingViewResolver">
<beans:property name="order" value="1" />
<beans:property name="mediaTypes">
<beans:map>
<beans:entry key="json" value="application/json" />
<beans:entry key="xml" value="application/xml" />
</beans:map>
</beans:property>
<beans:property name="defaultViews">
<beans:list>
<!-- JSON View -->
<beans:bean class="org.springframework.web.servlet.view.json.MappingJacksonJsonView" />
</beans:list>
</beans:property>
</beans:bean>
Controller類
@Controller
public class CustomController {
@RequestMapping(value = "/wos/student/{stid}/school/{scid}", method = RequestMethod.GET)
public @ResponseBody JsonFormatClass getWeeksOfSchooling(@PathVariable("stid") String stid, @PathVariable("scid") String scid) {
//some logic
return new JsonFormatClass();
}
}
在我的春節,安全應用方面,我已經明確規定了攔截的URL來匿名訪問授予方法
的applicationContext-security.xml文件
<security:http auto-config="false" entry-point-ref="formAuthenticationEntryPoint">
<!-- Uses a custom form filter to accommodate the userspace -->
<security:custom-filter position="FORM_LOGIN_FILTER" ref="userspaceAwareFormLoginFilter" />
<security:anonymous />
<security:logout />
<!-- Workaround for RichFaces automatically including skinning CSS on login page, even though unused -->
<security:intercept-url pattern="/a4j/**" access="ROLE_ANONYMOUS,ROLE_USER" />
<!-- Richfaces skinning also uses images and some additional stylesheets... -->
<security:intercept-url pattern="/css/**" access="ROLE_ANONYMOUS,ROLE_USER" />
<security:intercept-url pattern="/errorViewExpired.jsp" access="ROLE_ANONYMOUS,ROLE_USER" />
<security:intercept-url pattern="/images/**" access="ROLE_ANONYMOUS,ROLE_USER" />
<security:intercept-url pattern="/js/**" access="ROLE_ANONYMOUS,ROLE_USER" />
<security:intercept-url pattern="/login.faces" access="ROLE_ANONYMOUS,ROLE_USER" />
<security:intercept-url pattern="/srStudentPhoto/**" access="ROLE_ANONYMOUS,ROLE_USER" />
<security:intercept-url pattern="/accountsreceivable/**" access="ROLE_AR" />
<security:intercept-url pattern="/assessment/**" access="ROLE_PLANNING_ASSESSMENT, ROLE_ASSESS_MAINTENANCE" />
<security:intercept-url pattern="/assessmentmaintenance/**" access="ROLE_ASSESS_MAINTENANCE" />
<security:intercept-url pattern="/attendance/attendanceJobSettings.faces" access="ROLE_ATTEND" />
<security:intercept-url pattern="/attendance/attendanceMaintenance.faces" access="ROLE_ATTEND" />
<security:intercept-url pattern="/attendance/attendanceSettings.faces" access="ROLE_ATTEND" />
<security:intercept-url pattern="/attendance/attendanceSurvey.faces" access="ROLE_ATTEND" />
<security:intercept-url pattern="/attendance/unmarkedRegisters.faces" access="ROLE_ATTEND" />
<security:intercept-url pattern="/earlynotification/**" access="ROLE_ATTEND" />
<security:intercept-url pattern="/enrol/**" access="ROLE_ENROL" />
<security:intercept-url pattern="/enrolment/**" access="ROLE_STUDENTADMIN" />
<security:intercept-url pattern="/incident/**" access="ROLE_BEHAVIOURAL_MGMT" />
<security:intercept-url pattern="/rollreturn/**" access="ROLE_ROLL_RETURN" />
<security:intercept-url pattern="/school/schoolYearSettings.faces" access="ROLE_STUDENTADMIN, ROLE_CUSTOMER_SERVICE" />
<security:intercept-url pattern="/schooladmin/peopleSearch.faces" access="ROLE_USER_MAINTENANCE, ROLE_USER_ADMIN" />
<security:intercept-url pattern="/schooladmin/maintainPerson.faces" access="ROLE_USER_MAINTENANCE, ROLE_USER_ADMIN" />
<security:intercept-url pattern="/schooladmin/maintainPersonRoles.faces" access="ROLE_USER_MAINTENANCE, ROLE_USER_ADMIN" />
<security:intercept-url pattern="/schooladmin/peopleSearch.faces" access="ROLE_USER_MAINTENANCE, ROLE_USER_ADMIN" />
<security:intercept-url pattern="/schooladmin/groupList.faces" access="ROLE_USER" />
<security:intercept-url pattern="/schooladmin/groupMaintenance.faces" access="ROLE_USER" />
<security:intercept-url pattern="/schooladmin/**" access="ROLE_SCHOOLADMIN" />
<security:intercept-url pattern="/student/add.faces" access="ROLE_STUDENTADMIN" />
<!-- Should only be accessible by Teachers, but current model does not allow for this -->
<security:intercept-url pattern="/student/createLearningObservation.faces" access="ROLE_USER" />
<security:intercept-url pattern="/utils/**" access="ROLE_UTILITIES" />
<security:intercept-url pattern="/customerservice/**" access="ROLE_CUSTSVC_SUPER, ROLE_CUSTOMER_SERVICE" />
<security:intercept-url pattern="/**" access="ROLE_USER" />
<security:intercept-url pattern="/assessments/**" access="ROLE_ANONYMOUS,ROLE_USER" />
</security:http>
我可以完美訪問該方法並使用 - 如果我只是認證了,否則它會將我重定向到登錄頁面。
http://localhost:8080:/MyOwnApp/assessments/wos/student/45345345/school/345343
所以我在做什麼錯在這裏?
謝謝。
請顯示所有applicationContext-security.xml –
@DirkLachowski更新了我的問題。 – Switch