Spring Security匿名用户可以访问每个URL
我正在开发gwt应用程序,我希望使用spring-security来保护它。 我在数据库中有用户数据,UserService负责获取特定用户。 我已经按照本教程
的AuthenticationProvider:
public class CustomAuthenticationProvider implements AuthenticationProvider { @Autowired UserService userService; @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { String username = (String) authentication.getPrincipal(); String password = (String) authentication.getCredentials(); User user = userService.findByUserName(username); if (user == null) { throw new UsernameNotFoundException("User not found"); } String storedPass = user.getPassword(); if (!storedPass.equals(password)) { throw new BadCredentialsException("Invalid password"); } Authentication customAuthentication = new CustomUserAuthentication(user, authentication); customAuthentication.setAuthenticated(true); return customAuthentication; } @Override public boolean supports(Class authentication) { return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication); } } CustomAuthentication
public class CustomUserAuthentication implements Authentication { private static final long serialVersionUID = -3091441742758356129L; private boolean authenticated; private final GrantedAuthority grantedAuthority; private final Authentication authentication; private final User user; public CustomUserAuthentication(User user, Authentication authentication) { this.grantedAuthority = new SimpleGrantedAuthority(user.getRole().name()); this.authentication = authentication; this.user = user; } @Override public Collection getAuthorities() { Collection authorities = new ArrayList(); authorities.add(grantedAuthority); return authorities; } @Override public Object getCredentials() { return authentication.getCredentials(); } @Override public Object getDetails() { return authentication.getDetails(); } @Override public Object getPrincipal() { return user; } @Override public boolean isAuthenticated() { return authenticated; } @Override public void setAuthenticated(boolean authenticated) throws IllegalArgumentException { this.authenticated = authenticated; } @Override public String getName() { return user.getUsername(); } }
安全背景:
一切正常,弹簧拦截调用index.html我需要记录,它将我重定向回index.html。 问题是当我退出然后再次转到index.html时,我只是简单地访问它。 我发现:
Authentication auth = SecurityContextHolder.getContext().getAuthentication(); System.out.println("Logged as: " + auth.getName());
注销后打印anonymousUser。 当我再次登录时,此代码打印我的用户名,因此我认为拦截匿名用户有问题。 有谁知道如何拦截匿名用户?
代替:
您可以使用:
这应该使Spring Security拒绝访问匿名用户。 当然,这意味着您还需要添加其中一个:
对于匿名用户应该能够访问的每个模式。 通常,登录页面,错误页面,静态资源(图像,PDF等)。