Spring 安全中的多个 antMatcher
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/30819337/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Multiple antMatchers in Spring security
提问by Bashar Abutarieh
I work on content management system, that has five antMatcherslike the following:
我在内容管理系统上工作,它有五个antMatcher,如下所示:
http.authorizeRequests()
.antMatchers("/", "/*.html").permitAll()
.antMatchers("/user/**").hasRole("USER")
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/admin/login").permitAll()
.antMatchers("/user/login").permitAll()
.anyRequest().authenticated()
.and()
.csrf().disable();
which suppose to mean that the visitors can see all site at root path (/*), and users can see only (/user), admin can see only (/admin), and there are two login pages one for users and another for admin.
假设访问者可以看到根路径(/*)下的所有站点,而用户只能看到(/user),管理员只能看到(/admin),并且有两个登录页面,一个用于用户,另一个用于行政。
The code seems to work fine, except the admin section - it doesn't work but return access denied exception.
代码似乎工作正常,除了管理部分 - 它不起作用但返回拒绝访问异常。
回答by Bohuslav Burghardt
I believe that the problem is in the orderof your rules:
我相信问题出在你的规则顺序上:
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/admin/login").permitAll()
The order of the rules matters and the more specific rules should go first. Now everything that starts with /adminwill require authenticated user with ADMIN role, even the /admin/loginpath (because /admin/loginis already matched by the /admin/**rule and therefore the second rule is ignored).
规则的顺序很重要,更具体的规则应该先行。现在,以 开头的所有内容/admin都需要经过身份验证的具有 ADMIN 角色的用户,甚至是/admin/login路径(因为/admin/login已经与/admin/**规则匹配,因此忽略第二条规则)。
The rule for the login page should therefore go before the /admin/**rule. E.G.
因此,登录页面的/admin/**规则应该在规则之前。例如
.antMatchers("/admin/login").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
