春天的SecurityContext返回null认证

Question

我使用Spring Security进行用户身份验证，但SecurityContext的是空当未登录用户

在我的web.xml我：

<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class> 
     org.springframework.web.filter.DelegatingFilterProxy 
    </filter-class> 
</filter> 
<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
    <dispatcher>REQUEST</dispatcher> 
    <dispatcher>ERROR</dispatcher> 
</filter-mapping> 

在我的security.xml我

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xmlns:security="http://www.springframework.org/schema/security" 
     xmlns:http="http://www.springframework.org/schema/security" 
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd 
     http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd"> 

    <!-- Static resources such as CSS and JS files are ignored by Spring Security --> 
    <security:http pattern="/resources/**" security="none" /> 

    <security:http use-expressions="true"> 
     <!-- Enables Spring Security CSRF protection --> 
     <security:csrf/> 
     <!-- Configures the form login --> 
     <security:form-login 
       login-page="/login" 
       login-processing-url="/login/authenticate" 
       authentication-failure-url="/login?error=bad_credentials" 
       username-parameter="username" 
       password-parameter="password"/> 
     <!-- Configures the logout function --> 
     <security:logout 
       logout-url="/logout" 
       logout-success-url="/home" 
       delete-cookies="JESSIONID"/> 

     <security:intercept-url pattern="/**" method="GET" access="permitAll"/> 
     <security:intercept-url pattern="/user/register" method="POST" access="permitAll"/> 

     <!-- These operations are protected. --> 
     <security:intercept-url pattern="/product/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/> 
     <security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/> 
     <security:access-denied-handler error-page="/login"/> 

     <!-- Adds social authentication filter to the Spring Security filter chain. --> 
     <security:custom-filter ref="socialAuthenticationFilter" before="PRE_AUTH_FILTER" /> 
    </security:http> 

...其他配置...

在那里我得到空的代码是：

HttpSession session = request.getSession(true); 
SecurityContext securityContext =(SecurityContext) session.getAttribute("SPRING_SECURITY_CONTEXT"); 
Authentication authentication = securityContext.getAuthentication(); 
user = (Object) authentication.getPrincipal(); 

但是我得到空SecurityContext的在没有用户的任何帮助被记录在那里我做错了

Answer 1

从。 http://docs.spring.io/spring-security/site/docs/3.0.x/reference/anonymous.html：

...请注意，“匿名认证”的用户和不认证的用户之间没有真正的概念上的区别ed用户。 Spring Security的匿名身份验证只是为您提供更方便的方式来配置您的访问控制属性。例如，调用servlet API调用（例如，getCallerPrincipal），即使SecurityContextHolder中实际存在匿名身份验证对象，仍将返回空值。

还有其他情况下匿名认证是有用的，比如当审计拦截器查询SecurityContextHolder以确定哪个主体负责给定操作时。 如果他们知道SecurityContextHolder始终包含一个Authentication对象并且从不为null，则可以更健壮地编写类。

因此喜欢的设置（也引用页）：

permitAll 

..to：

<bean id="anonymousAuthFilter" 
    class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter"> 
    <property name="key" value="foobar"/> 
    <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/> 
</bean> 
<bean id="anonymousAuthenticationProvider" 
    class="org.springframework.security.authentication.AnonymousAuthenticationProvider"> 
    <property name="key" value="foobar"/> 
</bean> 

..和无法通过调整security.xml文件条目

ROLE_ANONYMOUS 

应该为您提供一个Securitycontext/Authentication对象（但不一定带有“Principal”）。