http basic的春季安全配置问题:IllegalArgument
[英]Spring Security configuration issue with http basic : IllegalArgument
问题描述
I can't seem to figure out why this configuration gives an IllegalArgumentException. 
我似乎无法弄清楚为什么此配置提供了IllegalArgumentException。 The error is: 错误是:
Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration
The configuration is: 配置为:
<!-- Disable Spring Security for static content -->
<http pattern="/css/**" security="none"/>
<http pattern="/js/**" security="none"/>
<!-- Web app security -->
<http use-expressions="true" authentication-manager-ref="pvDatabase">
<!-- Insecure endpoints -->
<intercept-url pattern="/" access="permitAll"/>
<intercept-url pattern="/spring/login" access="permitAll"/>
<intercept-url pattern="/spring/loginfail" access="permitAll"/>
<intercept-url pattern="/spring/loggedout" access="permitAll"/>
<intercept-url pattern="/insecure/**" access="permitAll"/>
<!-- Secure endpoints -->
<intercept-url pattern="/secure/admin/**" access="hasAnyRole('ADMIN')"/>
<intercept-url pattern="/spring/**" access="hasAnyRole('ADMIN', 'USER')"/>
<intercept-url pattern="/secure/**" access="hasAnyRole('ADMIN', 'USER')"/>
<!-- Authentication Entrypoint is FORM-LOGIN -->
<form-login login-page="/spring/login"
login-processing-url="/spring/login"
authentication-failure-url="/spring/loginfail"
default-target-url="/spring/loginsuccess"
always-use-default-target="true" />
<logout logout-url="/spring/logout" logout-success-url="/spring/loggedout" delete-cookies="JSESSIONID" invalidate-session="true"/>
<csrf/>
<!-- HTTP 403 Access denied custom handling -->
<access-denied-handler ref="pvAccessDeniedHandler"/>
</http>
<!-- Web services security : this section generates an error -->
<http use-expressions="true" create-session="stateless" authentication-manager-ref="pvDatabase">
<!-- Authentication Entrypoint is HTTP-BASIC -->
<http-basic entry-point-ref="PVBasicAuthenticationEntryPoint"/>
<!-- secure endpoints : web services -->
<intercept-url pattern="/services/api/**" access="hasAnyRole('ADMIN', 'WEBSERVICES')"/>
<!-- HTTP 403 Access denied custom handling -->
<access-denied-handler ref="pvAccessDeniedHandler"/>
</http>
Security works well if I remove the entire Web Services security section, what I want is to be able to protect only the /services/api/** pattern with basic-auth, in addition restricting it to users with roles ADMIN and WEBSERVICES only. 如果删除整个Web服务安全性部分,则安全性很好,我想要的是能够使用basic-auth 仅保护/ services / api / **模式,并将其限制为仅具有ADMIN和WEBSERVICES角色的用户。
I am not sure I understand the error as there is no other url pattern defined that is universal match, I don't have /** mapped anywhere. 我不确定我是否理解错误,因为没有定义其他通用匹配的url模式,我没有在任何地方映射/ **。
My app consists of 2 Dispatcher servlets, the first is mapped to /spring/* and the second is mapped to /services/api/*. 我的应用程序包含2个Dispatcher servlet,第一个映射到/ spring / *,第二个映射到/ services / api / *。 The Spring Security Filter Chain is mapped to /* Spring Security筛选器链映射到/ *
1 个解决方案
解决方案1
0 已采纳 2017-05-09 09:08:26
This error is because the http blocks are also considered in order and the default pattern for an http block is /**. 此错误是因为还按顺序考虑了http块,并且http块的默认模式是/ **。 Without having a pattern attribute on all but the last http block the other block will never be seen. 如果除了最后一个http块之外的所有块都没有pattern属性,则永远不会看到其他块。
Adding pattern to the first http block should fix your problem. 将模式添加到第一个http块应该可以解决您的问题。 If pattern does not work, you can also use a custom instance of RequestMatcher with request-matcher-ref . 如果pattern不起作用,则还可以将RequestMatcher的自定义实例与request-matcher-ref一起使用 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.