带弹簧的网络应用和休息服务的安全

Question

首先，让我感谢你在这个网站给予的巨大帮助！

那么，我会马上指出一点：我是春天的新手，我用appfuse创建了一个新的web应用程序。最初的想法是创建一个带前端的简单平台，然后从外部客户端调用其余服务。

问题是我无法定义一个security.xml文件，其中（页面和其他服务）可以使用不同的身份验证方法。

我的想法是基于网址参数的服务网页和认证登录表单，但我得到的唯一的事情是个例外：

A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored"

我已分别尝试过它们中的每一个，但是当我把它们收集在同一个文件中时，例外情况就会升高。

<http pattern="/images/**" security="none"/> 
    <http pattern="/styles*/**" security="none"/> 
    <http pattern="/scripts*/**" security="none"/> 
    <http pattern="/assets*/**" security="none"/> 
    <http entry-point-ref="restAuthenticationEntryPoint"> 
     <intercept-url pattern="/services/**" access="ROLE_ADMIN,ROLE_ADMIN,ROLE_USER"/> 
     <custom-filter ref="myFilter" position="FORM_LOGIN_FILTER"/> 
     <logout /> 
    </http> 
    <beans:bean id="myFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> 
     <beans:property name="authenticationManager" ref="authenticationManager"/> 
     <beans:property name="authenticationSuccessHandler" ref="mySuccessHandler"/> 
    </beans:bean> 
    <beans:bean id="mySuccessHandler" class="org.bringer.webapp.authentication.MyAuthSuccessHandler"/>  
    <http auto-config="true" access-denied-page="/accessdenied"> 
     <intercept-url pattern="/login*/**" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/> 
     <intercept-url pattern="/admin/*" access="ROLE_ADMIN"/> 
     <intercept-url pattern="/passwordhint*/**" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/> 
     <intercept-url pattern="/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/> 
     <intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER"/> 
     <form-login login-page="/login" 
        default-target-url="/home" 
        always-use-default-target="true" 
        authentication-failure-url="/login/error" 
        login-processing-url="/j_security_check"/>      
     <remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/> 
    </http> 
    <authentication-manager alias="authenticationManager"> 
     <authentication-provider user-service-ref="userDao"> 
      <password-encoder ref="passwordEncoder"> 
       <salt-source ref="saltSource"/> 
      </password-encoder> 
     </authentication-provider> 
    </authentication-manager> 
    <beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource" 
     p:userPropertyToUse="username"/> 
    <global-method-security> 
     <protect-pointcut expression="execution(* *..service.UserManager.getUsers(..))" access="ROLE_ADMIN"/> 
     <protect-pointcut expression="execution(* *..service.UserManager.removeUser(..))" access="ROLE_ADMIN"/> 
    </global-method-security> 

即使我已经删除了“/ **”模式，但除了例外，我什么也没有得到。

可能有人指着我正确的方向吗？任何帮助将不胜感激。

Answer 1

解决！

这是帮我解决这个问题

<http pattern="/services/**" create-session="stateless"> 
     <intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER" /> 
     <http-basic /> 
    </http> 
    <http pattern="/login*/**" security="none"/>  
    <http auto-config="true" access-denied-page="/accessdenied">  
     <intercept-url pattern="/admin/*" access="ROLE_ADMIN"/> 
     <intercept-url pattern="/passwordhint*/**" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/> 
     <intercept-url pattern="/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/> 
     <intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER"/> 
     <form-login login-page="/login" 
        default-target-url="/home" 
        always-use-default-target="true" 
        authentication-failure-url="/login/error" 
        login-processing-url="/j_security_check"/>      
     <remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/> 
    </http>