正如标题所说... 我正在使用 Spring security,有时当我在 PermissionEvaluator 中被调用时:
public boolean hasPermission(Authentication inAuthentication, Serializable inTargetId, String inTargetType, Object inPermission) {
我没有获得 UsernamePasswordAuthenticationToken 进行身份验证,而是获得 AnonymousAuthenticationToken 的实例。
如果 AnonymousAuthenticationToken 有任何用途,则包含:
我不知道这是怎么发生的。日志中没有任何异常。有什么想法吗?
我也有完全相同的行为。因为我从 Java 8 切换到 Java 11。但是,还有 Spring Boot 版本 2.1.18。我想缓慢过渡并从 Java 11 开始。 有数百个注册正在进行中:
2024-01-17 13:40:51.564 DEBUG 2834036 --- [http-nio-9005-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2024-01-17 13:40:51.564 DEBUG 2834036 --- [http-nio-9005-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2024-01-17 13:40:51.564 DEBUG 2834036 --- [http-nio-9005-exec-7] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2024-01-17 13:40:51.662 DEBUG 2834036 --- [http-nio-9005-exec-3] d.h.m.d.l.SessionListenerImpl : add session - from IP: 10.22.6.49
2024-01-17 13:40:51.662 DEBUG 2834036 --- [http-nio-9005-exec-3] d.h.m.d.l.SessionListenerImpl : Total active session count: 8
2024-01-17 13:40:51.662 DEBUG 2834036 --- [http-nio-9005-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /actuator/info; Attributes: [authenticated]
2024-01-17 13:40:51.662 DEBUG 2834036 --- [http-nio-9005-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@317b81: Principal: org.springframework.security.core.userdetails.User@310c2d: Username: huss; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 10.22.6.49; SessionId: null; Not granted any authorities
然后在某个时刻它停止工作,用户从“UsernamePasswordAuthenticationToken”切换到“AnonymousAuthenticationToken”:
2024-01-17 14:09:58.126 DEBUG 2834036 --- [http-nio-9005-exec-2] o.s.s.w.a.ExceptionTranslationFilter : Calling Authentication entry point.
2024-01-17 14:09:58.221 DEBUG 2834036 --- [http-nio-9005-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /error; Attributes: [authenticated]
2024-01-17 14:09:58.221 DEBUG 2834036 --- [http-nio-9005-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@28ccd389: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff8868: RemoteIpAddress: 10.22.6.49; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2024-01-17 14:09:58.221 DEBUG 2834036 --- [http-nio-9005-exec-5] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
为什么在 Java 11 上会发生这种情况?有遇到过这个问题的人有解决办法吗?
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
/**
* define basic login
*
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.antMatchers("/").denyAll()
.and().csrf().disable()
.requestCache().requestCache(new NullRequestCache())
.and().exceptionHandling()
.and().httpBasic();
}
}