[英]Spring Security intercept url appears to be skipped/ignored
我希望配置spring安全性,以便將一個特定資源鎖定到一個組,其余資源可供任何登錄用戶使用。 我的security.xml看起來像這樣
<http auto-config="true" create-session="stateless" use-expressions="true">
<intercept-url pattern="/server/**" access="hasRole('ROLE_DEV-USER')" method="POST" requires-channel="https"/>
<intercept-url pattern="/**" access="isFullyAuthenticated()" method="POST" requires-channel="https"/>
<intercept-url pattern="/**" access="isFullyAuthenticated()" method="PUT" requires-channel="https"/>
<intercept-url pattern="/**" access="isFullyAuthenticated()" method="DELETE" requires-channel="https"/>
<intercept-url pattern="/**" access="permitAll" method="GET" requires-channel="any"/>
<intercept-url pattern="/**" access="permitAll" method="HEAD" requires-channel="any"/>
<http-basic />
<logout />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_NOT-DEV-USER" />
<user name="admin2" password="admin2" authorities="ROLE_DEV-USER" />
</user-service>
</authentication-provider>
</authentication-manager>
我希望唯一的管理員能夠POST到服務器/啟用和服務器/禁用。 我實際看到的是admin和admin2都可以POST到服務器/啟用資源。 好像忽略了/ server / **,下一個更通用的intercept-url取而代之。 啟動日志顯示正在加載的所有行
2013-08-21 15:07:42,124 INFO FilterInvocationSecurityMetadataSourceParser:134 - Creating access control expression attribute 'hasRole('ROLE_DEV-USER')' for /server/**
2013-08-21 15:07:42,125 INFO FilterInvocationSecurityMetadataSourceParser:134 - Creating access control expression attribute 'isFullyAuthenticated()' for /**
2013-08-21 15:07:42,125 INFO FilterInvocationSecurityMetadataSourceParser:134 - Creating access control expression attribute 'isFullyAuthenticated()' for /**
2013-08-21 15:07:42,126 INFO FilterInvocationSecurityMetadataSourceParser:134 - Creating access control expression attribute 'isFullyAuthenticated()' for /**
2013-08-21 15:07:42,126 INFO FilterInvocationSecurityMetadataSourceParser:134 - Creating access control expression attribute 'permitAll' for /**
2013-08-21 15:07:42,127 INFO FilterInvocationSecurityMetadataSourceParser:134 - Creating access control expression attribute 'permitAll' for /**
目前使用的是spring v3.1.2
攔截URL按它們出現的順序進行評估。 來自http://static.springsource.org/spring-security/site/docs/3.0.x/reference/core-web-filters.html上的文檔
模式始終按照定義的順序進行評估。 因此,重要的是在列表中定義的更具體的模式比不太具體的模式更高。 這反映在我們上面的示例中,其中更具體/安全/超級/模式看起來高於不太具體/安全/模式。 如果它們被反轉,則/ secure / pattern將始終匹配,並且永遠不會評估/ secure / super / pattern。
..所以只要你的更具體的URL在頂部它應該工作。 可能需要調試以查看Spring安全性如何評估並嘗試匹配您的URL。 對不起,不是真正的答案,但對於評論來說太大了。
需要擴展模式以包括用於匹配servlet的url模式
web.xml中
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>restServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext-dispatchservlet.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>restServlet</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
因此Spring安全性需要servlet映射,加上請求映射以獲取url並應用攔截
<http auto-config="true" create-session="stateless" use-expressions="true">
<intercept-url pattern="/rest/server/**" access="hasRole('ROLE_DEV-USER')" method="POST" requires-channel="https"/>
<intercept-url pattern="/**" access="isFullyAuthenticated()" method="POST" requires-channel="https"/>
<intercept-url pattern="/**" access="isFullyAuthenticated()" method="PUT" requires-channel="https"/>
<intercept-url pattern="/**" access="isFullyAuthenticated()" method="DELETE" requires-channel="https"/>
<intercept-url pattern="/**" access="permitAll" method="GET" requires-channel="any"/>
<intercept-url pattern="/**" access="permitAll" method="HEAD" requires-channel="any"/>
<http-basic />
<logout />
</http>
一旦將缺失/休息添加到模式中,它就會按預期工作
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.