java spring 安全拦截 url 对我不起作用
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10880679/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-10-31 02:57:24 来源:igfitidea点击:
spring security intercept-url is not working for me
提问by Rajesh
In my case I want a particular URL should be accessible only to user with ROLE_ADMIN,but this is not working as even if a user doesnt have ROLE as ROLE_ADMIN,the user is able to see admin specific pages. Here is the spring-security .xml
在我的情况下,我希望特定的 URL 应该只能由具有 ROLE_ADMIN 的用户访问,但这不起作用,即使用户没有 ROLE 作为 ROLE_ADMIN,用户也可以看到特定于管理员的页面。这是 spring-security .xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd
http://www.springframework.org/schema/lang http://www.springframework.org/schema/lang/spring-lang.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
">
<sec:global-method-security pre-post-annotations="enabled" />
<sec:http pattern="/css/**" security="none"/>
<sec:http pattern="/images/**" security="none"/>
<sec:http pattern="/js/**" security="none"/>
<sec:http pattern="/index.jsp" security="none"/>
<!-- <sec:http pattern="/app/addNewUser.json" security="none"/> -->
<sec:http pattern="/login.jsp" security="none"/>
<sec:http use-expressions="true">
<!--
Allow all other requests. In a real application you should
adopt a whitelisting approach where access is not allowed by default
-->
<sec:intercept-url pattern="/**" access="isAuthenticated()" />
<sec:form-login login-page='/login.jsp'
authentication-failure-url="/login.jsp?login_error=1"
default-target-url="/index.jsp" />
<sec:logout logout-success-url="/login.jsp" delete-cookies="JSESSIONID"/>
<sec:remember-me />
<sec:intercept-url pattern="/**/referencemetadatahome*" access="hasRole('ROLE_ADMIN')" />
</sec:http>
<bean id="myUserService" class="com.aa.ceg.proj.mars.serviceimpl.UserServiceImpl" />
<sec:authentication-manager>
<sec:authentication-provider user-service-ref="myUserService" />
</sec:authentication-manager>
<bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/>
</beans>
Here is web.xml;
这是 web.xml;
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>Spring3MVC</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-rootcontext.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
- Loads the root application context of this web app at startup.
-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
</web-app>
I am able to access /app/referencemetadatahome.htmleven if user doesnot have role as ROLE_ADMIN. What could be the problem?
/app/referencemetadatahome.html即使用户没有 ROLE_ADMIN 角色,我也可以访问。可能是什么问题呢?
回答by Rajesh
Ok..just reorder the spring security interceptor -url to make things work
好的..只需重新排序 spring 安全拦截器 -url 以使其正常工作
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd
http://www.springframework.org/schema/lang http://www.springframework.org/schema/lang/spring-lang.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
">
<sec:global-method-security pre-post-annotations="enabled" />
<sec:http pattern="/css/**" security="none"/>
<sec:http pattern="/images/**" security="none"/>
<sec:http pattern="/js/**" security="none"/>
<sec:http pattern="/index.jsp" security="none"/>
<!-- <sec:http pattern="/app/addNewUser.json" security="none"/> -->
<sec:http pattern="/login.jsp" security="none"/>
<sec:http use-expressions="true">
<sec:intercept-url pattern="/**/referencemetadatahome*" access="hasRole('ROLE_ADMIN')" />
<!--
Allow all other requests. In a real application you should
adopt a whitelisting approach where access is not allowed by default
-->
<sec:intercept-url pattern="/**" access="isAuthenticated()" />
<sec:form-login login-page='/login.jsp'
authentication-failure-url="/login.jsp?login_error=1"
default-target-url="/index.jsp" />
<sec:logout logout-success-url="/login.jsp" delete-cookies="JSESSIONID"/>
<sec:remember-me />
</sec:http>
<bean id="myUserService" class="com.aa.ceg.proj.mars.serviceimpl.UserServiceImpl" />
<sec:authentication-manager>
<sec:authentication-provider user-service-ref="myUserService" />
</sec:authentication-manager>
<bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/>
</beans>
