1. 首页
  2. 问答
  3. spring security intercept-url不适用于我

spring security intercept-url不适用于我

2012-06-04 37 views
1

在我的情况下,我希望某个特定的URL只能由ROLE_ADMIN的用户访问,但这不起作用,因为即使用户不具有ROLE作为ROLE_ADMIN,用户也能够查看管理员特定页面。 这里是弹簧安全的.xmlspring security intercept-url不适用于我

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:sec="http://www.springframework.org/schema/security" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:aop="http://www.springframework.org/schema/aop" 
    xmlns:context="http://www.springframework.org/schema/context" 
    xsi:schemaLocation=" 
     http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd 
     http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd 
     http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd 
     http://www.springframework.org/schema/lang http://www.springframework.org/schema/lang/spring-lang.xsd 
     http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd 
     http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd 
     http://www.springframework.org/schema/mvc 
     http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd 
     http://www.springframework.org/schema/beans 
     http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
     http://www.springframework.org/schema/security 
     http://www.springframework.org/schema/security/spring-security-3.1.xsd 
     "> 



    <sec:global-method-security pre-post-annotations="enabled" /> 

    <sec:http pattern="/css/**" security="none"/> 
    <sec:http pattern="/images/**" security="none"/> 
    <sec:http pattern="/js/**" security="none"/> 
    <sec:http pattern="/index.jsp" security="none"/> 
    <!-- <sec:http pattern="/app/addNewUser.json" security="none"/> --> 
    <sec:http pattern="/login.jsp" security="none"/> 
    <sec:http use-expressions="true"> 
     <!-- 
      Allow all other requests. In a real application you should 
      adopt a whitelisting approach where access is not allowed by default 
      --> 
     <sec:intercept-url pattern="/**" access="isAuthenticated()" /> 
     <sec:form-login login-page='/login.jsp' 
      authentication-failure-url="/login.jsp?login_error=1" 
      default-target-url="/index.jsp" /> 
     <sec:logout logout-success-url="/login.jsp" delete-cookies="JSESSIONID"/> 
     <sec:remember-me /> 
<sec:intercept-url pattern="/**/referencemetadatahome*" access="hasRole('ROLE_ADMIN')" /> 
    </sec:http> 

    <bean id="myUserService" class="com.aa.ceg.proj.mars.serviceimpl.UserServiceImpl" /> 
    <sec:authentication-manager> 
    <sec:authentication-provider user-service-ref="myUserService" /> 
    </sec:authentication-manager> 
<bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/> 
</beans>

这里是web.xml中;

<?xml version="1.0" encoding="UTF-8"?> 
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5"> 
    <display-name>Spring3MVC</display-name> 
    <context-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value> 
      /WEB-INF/spring-rootcontext.xml 
      /WEB-INF/spring-security.xml 
     </param-value> 
    </context-param> 
     <filter> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
    </filter> 

    <filter-mapping> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 

    <!-- 
     - Loads the root application context of this web app at startup. 
    --> 
    <listener> 
     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
    </listener> 


    <welcome-file-list> 
    <welcome-file>index.jsp</welcome-file> 
    </welcome-file-list> 

    <servlet> 
    <servlet-name>spring</servlet-name> 
    <servlet-class> 
      org.springframework.web.servlet.DispatcherServlet 
     </servlet-class> 
    <load-on-startup>1</load-on-startup> 
    </servlet> 
    <servlet-mapping> 
    <servlet-name>spring</servlet-name> 
    <url-pattern>/app/*</url-pattern> 
    </servlet-mapping> 
<filter> 
     <filter-name>CAS Single Sign Out Filter</filter-name> 
     <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> 
    </filter> 
<filter-mapping> 
     <filter-name>CAS Single Sign Out Filter</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 
    <listener> 
     <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> 
    </listener> 

</web-app>

即使用户没有作为ROLE_ADMIN的角色,我也能够访问/app/referencemetadatahome.html。可能是什么问题呢?

来源

2012-06-04 Rajesh

回答

5

Ok..just重新排序春季安全拦截器-url使事情的工作

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:sec="http://www.springframework.org/schema/security" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:aop="http://www.springframework.org/schema/aop" 
    xmlns:context="http://www.springframework.org/schema/context" 
    xsi:schemaLocation=" 
     http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd 
     http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd 
     http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd 
     http://www.springframework.org/schema/lang http://www.springframework.org/schema/lang/spring-lang.xsd 
     http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd 
     http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd 
     http://www.springframework.org/schema/mvc 
     http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd 
     http://www.springframework.org/schema/beans 
     http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
     http://www.springframework.org/schema/security 
     http://www.springframework.org/schema/security/spring-security-3.1.xsd 
     "> 



    <sec:global-method-security pre-post-annotations="enabled" /> 

    <sec:http pattern="/css/**" security="none"/> 
    <sec:http pattern="/images/**" security="none"/> 
    <sec:http pattern="/js/**" security="none"/> 
    <sec:http pattern="/index.jsp" security="none"/> 
    <!-- <sec:http pattern="/app/addNewUser.json" security="none"/> --> 
    <sec:http pattern="/login.jsp" security="none"/> 
    <sec:http use-expressions="true"> 
<sec:intercept-url pattern="/**/referencemetadatahome*" access="hasRole('ROLE_ADMIN')" /> 
     <!-- 
      Allow all other requests. In a real application you should 
      adopt a whitelisting approach where access is not allowed by default 
      --> 
     <sec:intercept-url pattern="/**" access="isAuthenticated()" /> 
     <sec:form-login login-page='/login.jsp' 
      authentication-failure-url="/login.jsp?login_error=1" 
      default-target-url="/index.jsp" /> 
     <sec:logout logout-success-url="/login.jsp" delete-cookies="JSESSIONID"/> 
     <sec:remember-me /> 

    </sec:http> 

    <bean id="myUserService" class="com.aa.ceg.proj.mars.serviceimpl.UserServiceImpl" /> 
    <sec:authentication-manager> 
    <sec:authentication-provider user-service-ref="myUserService" /> 
    </sec:authentication-manager> 
<bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/> 
</beans>

来源

2012-06-04 12:14:41 Rajesh

+3

这是正确的。/**应始终是最后一个拦截URL,因为Spring Security从列表顶部开始,然后在找到匹配项时停止。 –

+1

也标记接受的答案。 – Ravi

相关问题

 相关问题