spring security 拦截url角色
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12035099/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
spring security intercept url roles
提问by shazinltc
In the spring security intercept-url config, if I define a particular role for a particular path, say ROLE_USER, that path should be accessible only if the user has that authority. That makes sense, but if I set the role as ROLE_ANONYMOUS, <intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS"/>shouldn't it be accessible even when the user is authenticated, say when the user has an authority ROLE_USER? But that doesn't happen.
在 spring securityintercept-url 配置中,如果我为特定路径定义特定角色,例如 ROLE_USER,则只有当用户具有该权限时,该路径才应可访问。这是有道理的,但是如果我将角色设置为 ROLE_ANONYMOUS,<intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS"/>那么即使用户通过身份验证,它是否也应该可以访问,例如用户何时具有 ROLE_USER 权限?但这不会发生。
Here is the log
这是日志
Checking match of request : '/resources/js/test.js'; against '/resources/**'
Secure object: FilterInvocation: URL: /resources/js/test.js; Attributes: [ROLE_ANONYMOUS]
Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken***********************************************
Voter: org.springframework.security.access.vote.RoleVoter@1712310, returned: -1
And then i get an access denied exception.I know it works fine if i add <intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS,ROLE_USER"/>in my Http config. But in the above case, is it meant to be like that or am I doing something wrong.
然后我得到一个访问被拒绝的异常<intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS,ROLE_USER"/>。我知道如果我添加我的 Http 配置它可以正常工作。但在上述情况下,是这样还是我做错了什么。
采纳答案by Xaerxess
It's the right way to write:
正确的写法是:
<intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS,ROLE_USER"/>
You can check the official reference manual chapter about annonymous authenticationwhere you'll see following configuration:
您可以查看关于匿名身份验证的官方参考手册章节,您将看到以下配置:
<bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
<property name="securityMetadata">
<security:filter-security-metadata-source>
<security:intercept-url pattern='/index.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/>
<security:intercept-url pattern='/hello.htm' access='ROLE_ANONYMOUS,ROLE_USER'/>
<security:intercept-url pattern='/logoff.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/>
<security:intercept-url pattern='/login.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/>
<security:intercept-url pattern='/**' access='ROLE_USER'/>
</security:filter-security-metadata-source>" +
</property>
</bean>
Your understanding of ROLE_ANONYMOUS and ROLE_USER is a bit wrong, read more about them in this answer by Luke Taylor, one of Spring Security's devs.
您对 ROLE_ANONYMOUS 和 ROLE_USER 的理解有点错误,请在Spring Security 的开发人员之一 Luke Taylor 的这个回答中阅读更多关于它们的信息。
回答by mael
If I remember correctly : no, a resource protected with only access="ROLE_ANONYMOUS" should not be accessible for authenticated users in your case. You have to explicitly tell spring to allow users with "ROLE_USER" to access it. Depending on the version you are using, maybe you should consider using expression-based access control. This way you could make a resource accessible to everyone by just using : access="permitAll()" which IMHO is simpler.
如果我没记错的话:不,在您的情况下,经过身份验证的用户不应访问仅受 access="ROLE_ANONYMOUS" 保护的资源。您必须明确告诉 spring 允许具有“ROLE_USER”的用户访问它。根据您使用的版本,也许您应该考虑使用基于表达式的访问控制。通过这种方式,您可以通过使用 : access="permitAll()" 使每个人都可以访问资源,恕我直言更简单。
