发表新帖
发表新帖

Spring Security: how to exclude certain resources?

前端 未结
关注
6 822
执笔经年
执笔经年 2020-11-30 02:37

I have the following definition...
相关标签:
6条回答
  • 独厮守ぢ
    2020-11-30 02:45

    I think you have to add use-expressions tag to your http configuration in security xml for example:

    <http auto-config="true" use-expressions="true">
...
...
</http>

    Edit: Well I am not sure what version of spring security you are using. I know this works on 3.0 but for older versions I am not sure.

    0 讨论(0)
  • 南旧
    2020-11-30 03:03

    You don't specify the rest of your configuration, and since it looks like you have explicit bean configuration, it's hard for us to guess exactly how you have things configured. I'll say that some combination of the above answers is correct.

    1. If you are using Spr Sec 3, Gopi's answer is correct if you want to enable SpEL expressions (and have the corresponding beans which can evaluate them also configured). This can be hard if you are not using the http namespace.
    2. If you have an appropriate filter configured for setting up a SecurityContext for unauthenticated (anonymous) users, then setting role="IS_AUTHENTICATED_ANONYMOUSLY,IS_AUTHENTICATED_FULLY,IS_AUTHENTICATED_REMEMBERED" or some combination thereof should work.
    3. If all else fails, as several folks have suggested, filters="none" will do what you want, but take care that you really don't need anything to do with Spring Security in the code underlying the pages you are rendering, otherwise you may find yourself scratching your head later on.

    Good luck!

    0 讨论(0)
  • Happy的楠姐
    2020-11-30 03:04

    Try:

    <sec:intercept-url pattern="/nonsecure/**" filters="none" />
    0 讨论(0)
  • 迷失自我
    2020-11-30 03:06

    To be able to use expressions such as [permitAll] you have to add a a WebExpressionVoter to your AccessDecisionManager

    0 讨论(0)
  • 春和景丽
    2020-11-30 03:10

    In spring security 3.1.x the use of filters="none" is deprecated. Instead you use multiple <http> tags like this:

    <http pattern="/nonsecure/**" security="none"/>

    http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-form-and-basic

    0 讨论(0)
  • Happy的楠姐
    2020-11-30 03:12 
    <security:http auto-config='true'>
    <security:intercept-url pattern="/getfeed/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN" />
    <security:http-basic />
</security:http>

    access="IS_AUTHENTICATED_ANONYMOUSLY" Is the solution. I found it on the following link http://syntx.io/adding-http-basic-auth-to-restful-services-in-java-and-spring/

    Intercepts are evaluated top down. If you write this /** before /getIntelFeed/** then all service would go through /** and security would be applied on all services. In such case /getIntelFeed/** would be ineffective.

    0 讨论(0)
 看不清?
提交回复
热议问题