我用 spring roo 创建了一个 web 服务,并为项目添加了 spring 安全性。到目前为止一切正常,但现在我想允许通过 HTTP GET 请求访问实体信息而无需任何身份验证。其他 HTTP 方法(如 POST、PUT 等)应保持安全。
我的 applicationContext-security.xml 如下所示,但是当我在“/releaseupdates/”上使用“Accept: application/json”标头执行 HTTP GET 时,它总是返回登录页面(我认为 spring security 会在内部重定向到登录页面):
<http auto-config="true" use-expressions="true">
<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
<logout logout-url="/resources/j_spring_security_logout" />
<!-- Configure these elements to secure URIs in your application -->
<intercept-url pattern="/releaseupdates/**" access="permitAll" method="GET" />
<intercept-url pattern="/releaseupdates/**" access="hasRole('ROLE_ADMIN')" method="POST" />
<intercept-url pattern="/releaseupdatestatuses/**" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/member/**" access="isAuthenticated()" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/login/**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>