我使用Spring Boot 1.5.6(也試過1.5.4)。 我使用的是彈簧(引導)安全預認證與允許的資源仍然認證
RequestHeaderAuthenticationFilter
和
PreAuthenticatedAuthenticationProvider
,以確保我的Spring MVC的Web應用程序,並允許訪問這兩個控制器的路徑和靜態資源。
在我
RequestHeaderAuthenticationFilter
成立我想
setExceptionIfHeaderMissing(true);
,讓我知道,如果頭變量在請求被髮送。
當我嘗試訪問任何許可的資源的使用,Spring Security看起來總是在請求頭變量,並拋出一個
PreAuthenticatedCredentialsNotFoundException
爲什麼春季安全仍試圖查找該預驗證主要即使我正在嘗試訪問允許的(不受保護的)資源? 我如何繞過這種行爲?
我對WebSecurityConfigurerAdapter Java的配置低於
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
private static final Logger log = LoggerFactory.getLogger(SecurityConfig.class);
@Autowired
protected UserDetailsService userDetailsService;
@Bean
public PreAuthenticatedAuthenticationProvider preAuthenticatedAuthenticationProvider(){
log.info("Configuring pre authentication provider");
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper =
new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(
userDetailsService);
PreAuthenticatedAuthenticationProvider it = new PreAuthenticatedAuthenticationProvider();
it.setPreAuthenticatedUserDetailsService(wrapper);
return it;
}
@Bean
public RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter() throws Exception{
RequestHeaderAuthenticationFilter it = new RequestHeaderAuthenticationFilter();
it.setAuthenticationManager(authenticationManager());
it.setExceptionIfHeaderMissing(true);
return it;
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
log.info("configure authentication provider");
auth.authenticationProvider(preAuthenticatedAuthenticationProvider());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
log.info("Configure HttpSecurity");
http
.authorizeRequests()
.antMatchers("/permitted/**", "/css/**", "/js/**", "/images/**", "/webjars/**")
.permitAll()
.anyRequest()
.authenticated()
.and().addFilter(requestHeaderAuthenticationFilter())
;
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/permitted/**", "/css/**", "/js/**", "/images/**", "/webjars/**");
}
}