0
我使用Spring 1.5.4引导,春季数据REST,春季安全。我创建映射到不需要身份验证,因为它从报告传入文本短信网关使用的具体路径@Controller
。调用安全方法,无需认证
所以我刚刚创建一个控制器来读取这些参数,然后保存在数据库中的文本。这里有问题。为了存储数据,我使用安全的存储库,而在控制器中,我没有任何安全性(事实上,我不能要求提供商确保其呼叫)。
我试图以编程方式设置的验证上下文,但似乎不工作:
@Controller
@RequestMapping(path = "/api/v1/inbound")
@Transactional
public class InboundSmsController {
private Logger log = LogManager.getLogger();
@RequestMapping(method = RequestMethod.POST, path = "/incomingSms", produces = "text/plain;charset=ISO-8859-1")
public ResponseEntity<?> incomingSms(@RequestParam(name = "Sender", required = true) String sender,
@RequestParam(name = "Destination", required = true) String destination,
@RequestParam(name = "Timestamp", required = true) String timestamp,
@RequestParam(name = "Body", required = true) String body) {
log.info(String.format("Text received from %s to %s at %s with content: %s", sender, destination, timestamp, body));
setupAuthentication();
try {
int transitsWithSameTextToday = transitCertificateRepository.countByTextAndDate(body, Instant.now()); //This is the method that raises an Auth exception
....
....
} finally(){
clearAuthentication();
}
SecurityContext context;
/**
* Set in the actual context the authentication for the system user
*/
private void setupAuthentication() {
context = SecurityContextHolder.createEmptyContext();
Collection<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_ADMIN");
Authentication authentication = new UsernamePasswordAuthenticationToken("system", "ROLE_ADMIN", authorities);
context.setAuthentication(authentication);
}
private void clearAuthentication() {
context.setAuthentication(null);
}
的方法countByTextAndDate
与@PreAuthorize("isAuthenticated()")
注释我很惊讶也设置验证方面我有这个错误。难道我做错了什么?这是达到我的目标的最佳方式吗?
我不想用@PermitAll
注释我的方法,因为Spring Data REST也公开了这个方法,我不想让任何人都可以使用它。
就设置安全性,你通常会(这样你有一个认证,一个匿名的一个,但仍然授权)和写入特定方的安全规则。如'@PreAuthorize( “isAuthenticated()|| hasIpAddress(<的显式IP地址的从 - 的-SMS网关>)”)'。 –