我在Spring Security中还很陌生,但遇到以下问题。
我有这个控制器方法来处理对/ riepilogoCentrale资源的请求
@RequestMapping(value = "/riepilogoCentrale", method = RequestMethod.GET) public String riepilogoUtenteCentrale(HttpServletRequest request, Model model, Locale locale) { System.out.println("INTO riepilogoUtenteCentrale()"); return "centrale/riepilogoCentrale"; }
我的问题是,所有人(也是未登录的用户)都必须可以访问此资源(因此相关的呈现页面),并且如果我尝试以访问者(未登录的用户)身份访问此资源,则它实际上是配置的Spring Security。将我重定向到登录页面。
这是我的Spring Security配置文件(名为spring-security.xml):
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd"> <http pattern="/resources/**" security="none"/> <http auto-config="true" use-expressions="true" authentication-manager-ref="authenticationManager"> <intercept-url pattern="/login" access="permitAll" /> <intercept-url pattern="/registrati" access="permitAll" /> <intercept-url pattern="/salvaRegistrazione" access="permitAll" /> <intercept-url pattern="/captcha.html" access="permitAll" /> <intercept-url pattern="/**" access="isAuthenticated()" /> <logout logout-success-url="/login" logout-url="/logout" /> <form-login login-page="/login" authentication-failure-url="/login?error=true" default-target-url="/" username-parameter="nomeUtente" password-parameter="password" login-processing-url="/j_spring_security_check"/> <csrf disabled="true"/> </http> <authentication-manager id="authenticationManager" > <authentication-provider> <jdbc-user-service data-source-ref="datasource" users-by-username-query="select des_usr_par, des_psw_par,true from TID001_ANAGPARTECIPA where des_usr_par =?" authorities-by-username-query="select des_usr_par, prg_par from TID001_ANAGPARTECIPA where des_usr_par = ? "/> </authentication-provider> </authentication-manager> </beans:beans>
那么,如何从Spring Security管理中排除/ riepilogoCentrale并使未登录的用户也可以访问它?