0

我用 spring roo 创建了一个 web 服务,并为项目添加了 spring 安全性。到目前为止一切正常,但现在我想允许通过 HTTP GET 请求访问实体信息而无需任何身份验证。其他 HTTP 方法(如 POST、PUT 等)应保持安全。

我的 applicationContext-security.xml 如下所示,但是当我在“/releaseupdates/”上使用“Accept: application/json”标头执行 HTTP GET 时,它总是返回登录页面(我认为 spring security 会在内部重定向到登录页面):

 <http auto-config="true" use-expressions="true">
        <form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
        <logout logout-url="/resources/j_spring_security_logout" />
        <!-- Configure these elements to secure URIs in your application -->
        <intercept-url pattern="/releaseupdates/**" access="permitAll" method="GET" />
        <intercept-url pattern="/releaseupdates/**" access="hasRole('ROLE_ADMIN')" method="POST" />
        <intercept-url pattern="/releaseupdatestatuses/**" access="hasRole('ROLE_ADMIN')"/>
        <intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/member/**" access="isAuthenticated()" />
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/login/**" access="permitAll" />
        <intercept-url pattern="/**" access="isAuthenticated()" />
</http>
4

1 回答 1

2

还有一个注释 @PreAuthorize 可能是你的朋友。注释可以在控制器的类或方法级别。

这是一个例子:

@Controller
@RequestMapping("/releaseupdates")
public class ReleaseUpdateController {

   @RequestMapping(method=RequestMethod.GET)
   public String unprotectedGetRequest() {
      //do something, no protection
   }

   @PreAuthorize("hasRole('ROLE_ADMIN')")
   @RequestMapping(method=RequestMethod.POST)
   public String securePostRequest() {
      //do something, secured
   }

}
于 2015-06-04T12:44:38.577 回答