我在Spring Security中很新,我有以下问题。如何从Spring Security管理中排除特定资源,并使其可以访问未登录的用户?
我有一个处理向/riepilogoCentrale资源请求该控制器方法
@RequestMapping(value = "/riepilogoCentrale", method = RequestMethod.GET)
public String riepilogoUtenteCentrale(HttpServletRequest request, Model model, Locale locale) {
System.out.println("INTO riepilogoUtenteCentrale()");
return "centrale/riepilogoCentrale";
}
我的问题是,这种资源(所以相关的呈现的页面)必须给大家(也没有登录访问用户),因为它实际上配置了Spring Security,如果我试图以访问者身份访问这个资源(不记录用户),Spring会将我重定向到登录页面。
这是我的春季安全配置文件(名为弹簧security.xml文件):
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http pattern="/resources/**" security="none"/>
<http auto-config="true" use-expressions="true" authentication-manager-ref="authenticationManager">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/registrati" access="permitAll" />
<intercept-url pattern="/salvaRegistrazione" access="permitAll" />
<intercept-url pattern="/captcha.html" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<logout logout-success-url="/login" logout-url="/logout" />
<form-login login-page="/login"
authentication-failure-url="/login?error=true"
default-target-url="/"
username-parameter="nomeUtente"
password-parameter="password"
login-processing-url="/j_spring_security_check"/>
<csrf disabled="true"/>
</http>
<authentication-manager id="authenticationManager" >
<authentication-provider>
<jdbc-user-service data-source-ref="datasource"
users-by-username-query="select des_usr_par, des_psw_par,true from TID001_ANAGPARTECIPA where des_usr_par =?"
authorities-by-username-query="select des_usr_par, prg_par from TID001_ANAGPARTECIPA where des_usr_par = ? "/>
</authentication-provider>
</authentication-manager>
</beans:beans>
所以,我怎么能排除/riepilogoCentrale从春天的安全管理,并使其还可以访问到没有登录的用户?
@Makoto你是对的(我正在处理这个项目,但我没有配置它)。如果您将其作为回复发布,我会接受它:-) – AndreaNobili