彈簧安全過濾器鏈模式

Question

使用Spring Security時，您將一系列過濾器映射到URL模式，以指定如何保​​護這些URL。 這些模式可以包含通配符，例如

/foo/*/bar
/foo/**/bar

我找不到這些通配符的任何文檔，但是我的猜測是第一個模式會匹配

/foo/baz/bar

但不是

/foo/baz/baz/bar

而第二個模式（ /foo/**/bar ）將匹配這兩個

Answer 1

也許這段代碼會有所幫助：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
    xmlns:p="http://www.springframework.org/schema/p"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/security
                           http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <security:http auto-config="true">

        <security:intercept-url pattern="/login.do"
            access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/logout.do"
            access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/fail2login.do"
            access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/json/*.do"
            access="IS_AUTHENTICATED_ANONYMOUSLY" />

        <security:intercept-url pattern="/*" access="ROLE_ADMIN" />
        <security:form-login login-page="/login.do"
            default-target-url="/home.do" authentication-failure-url="/fail2login.do" />

        <security:session-management>
            <security:concurrency-control
                max-sessions="1" />
        </security:session-management>
        <security:logout logout-success-url="/logout.do"
            delete-cookies="JSESSIONID" invalidate-session="true" />
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider>
            <security:jdbc-user-service
                data-source-ref="dataSource"
                users-by-username-query="select userName, password, status from User where userName=?"
                authorities-by-username-query="select us.userName, ur.userRoleName from User us, UserRole ur   
                where ur.userName =?  " />
        </security:authentication-provider>
    </security:authentication-manager>
</beans>

Answer 2

您的假設是正確的。 單個通配符*匹配url樹的特定級別中的任何內容，而雙通配符**匹配任何字符串模式。

所以

/foo/*/bar

會匹配

/foo/abc/bar and /foo/xyz/bar but not /foo/abc/xyz/bar

鑒於

/foo/**/bar

將符合以上所有條件。