[英]Spring mvc and security role based restriction issue
我正在使用spring-mvc 3.1.1.RELEASE和Spring-Security构建应用程序,我希望每个人都必须登录才能访问它,并且我想按角色将某些用户的访问限制为我编辑了spring -security.xml这样:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<bean id="userDetailsService" class="it.dedagroup.cartesio.security.auth.UserDetailServiceImpl">
<property name="accountService" ref="accountService"></property>
</bean>
<sec:http auto-config="true" use-expressions="true" create-session="always">
<sec:http-basic />
<sec:intercept-url pattern="/login" access="permitAll"/>
<sec:intercept-url pattern="/failedLogin" access="permitAll"/>
<sec:intercept-url pattern="/resources/**" access="permitAll"/>
<sec:intercept-url pattern="/error" access="permitAll"/>
<sec:intercept-url pattern="/accessDenied*" access="isAuthenticated()" />
<sec:intercept-url pattern="/home*" access="isAuthenticated()" />
<sec:intercept-url pattern="/utentiRicerca*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/userEdit*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/creaUser*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/detailsUtente*" access="isAuthenticated()" />
<sec:intercept-url pattern="/modificaAccount*" access="isAuthenticated()" />
<sec:intercept-url pattern="/serverRicerca*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/editServer*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/prepareListaSearch*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/prepareListaEdit*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/groupInitSearch*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/groupEdit*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/listaUpdate*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/upload*" access="isAuthenticated()" />
<sec:intercept-url pattern="/emailRicerca*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/prepareEditCasella*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/acl*" access="hasRole('ROLE_ADMIN')" />
<sec:intercept-url pattern="/initDaemons*" access="hasAnyRole('ROLE_ADMIN','ROLE_SYSTEM')" />
<sec:intercept-url pattern="/mailbox*" access="hasAnyRole('ROLE_OPER','ROLE_USER')" />
<sec:intercept-url pattern="/emailBody*" access="hasAnyRole('ROLE_OPER','ROLE_USER')" />
<sec:intercept-url pattern="/pecBody*" access="hasAnyRole('ROLE_OPER','ROLE_USER')" />
<sec:intercept-url pattern="/composeEmail*" access="hasRole('ROLE_OPER')" />
<sec:form-login login-page="/login"
always-use-default-target="true"
default-target-url="/home"
authentication-failure-url="/failedLogin" />
<sec:logout invalidate-session="true" logout-success-url="/logout" delete-cookies="true" />
<sec:session-management invalid-session-url="/login" session-authentication-error-url="/failedLogin?sessionExpiredDuplicateLogin=true" >
<sec:concurrency-control max-sessions="1" expired-url="/failedLogin" error-if-maximum-exceeded="false" />
</sec:session-management>
</sec:http>
<sec:authentication-manager>
<sec:authentication-provider user-service-ref="userDetailsService">
<sec:password-encoder ref="stdEncoder"></sec:password-encoder>
</sec:authentication-provider>
</sec:authentication-manager>
但是如果我以这种方式称呼安全性,但是如果我删除了根URL的安全性映射,它将返回一个页面未找到错误:
<sec:intercept-url pattern="/**" access="isAuthenticated()" />
登录后,它包装了我所有的请求,而当我直接在浏览器栏上编写该请求时,它将忽略为该子URL指定的规则。
例如,我需要只有“ ROLE_ADMIN”才能访问URL“ / utentiRicerca”上的用户搜索,但是如果我以“ ROLE_USER”登录并在浏览器URL“ http://myhost.it:8080/myApp/utentiRicerca上写” “它并没有给我提供“ http 403”,因为我当之无愧。 那我能做什么呢?
/ **模式将匹配任何URL,因此始终可以访问所有链接。 如果您把它放在第一位,则其他链接甚至都不会被检查,如果您把它放在最后,其他模式也将被检查,但是即使它们失败,如果选中,用户仍然会通过安全性。
如果您想限制某些URL,则可以尝试更改您的URL结构,例如,在“安全” URL下使用任何可以进行角色访问的URL
例如,您可以使用以下带有“安全”前缀的链接:
secured/prepareListaEdit
并使用以下模式保护它们:
<sec:intercept-url pattern="secured/prepareListaEdit/* access="hasRole('ROLE_ADMIN')" />
然后添加一个模式,而不是/ **使用/ *来访问根路径上的其他链接
<security:intercept-url pattern="/*" access="isAuthenticated()" />
(因为使用/ **将匹配所有子路径,包括“安全”)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.