问题
I am using the following Java Config with Spring Security:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic();
}
Based on this configuration, all requests are authenticated. When you hit a controller without being authenticated, the AnonymousAuthenticationFilter will create an Authentication object for you with username=anonymousUser, role=ROLE_ANONYMOUS.
I am trying to provide anonymous access to a a specific controller method and have tried to use each of the following:
@Secured("ROLE_ANONYMOUS")@Secured("IS_AUTHENTICATED_ANONYMOUSLY")
When the controller methods get invoked, the following response is given: "HTTP Status 401 - Full authentication is required to access this resource"
Can someone help me understand why we are receiving this message and why ROLE_ANONYMOUS/IS_AUTHENTICATED_ANONYMOUSLY don't seem to work using this configuration?
Thanks,
JP
回答1:
Your security configuration is blocking all unauthenticated requests. You should allow access to the controller with
.antMatchers("/mycontroller").permitAll()
See also:
- http://spring.io/blog/2013/07/03/spring-security-java-config-preview-web-security/
来源:https://stackoverflow.com/questions/22385205/confusion-around-spring-security-anonymous-access-using-java-config