Spring Security Intercept-url 模式不起作用 [英] Spring Security Intercept-url pattern not working
问题描述
我的应用程序可以有以下 URL:
My application can have below URLs:
/siteadmin/homepage/
/siteusers/customer/createCustomer
下面是我的spring-security.xml
:
<beans:beans>
<http auto-config="true">
<intercept-url pattern="/siteusers***" access="isAuthenticated()" />
<!-- <intercept-url pattern="siteusers/home/*" access="hasRole('USER') OR hasRole('ADMIN')" /> -->
<intercept-url pattern="/siteadmin***" access="hasRole('ROLE_ADMIN')" />`enter code here`
<form-login login-page="/siteusers/loginprocess/login" default-target-url="/siteusers/home/homepage"
login-processing-url="/siteusers/loginprocess/login"
authentication-failure-url="/siteusers/loginprocess/login?error" username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/siteusers/loginprocess/login?logout" logout-url="/siteusers/loginprocess/logout" />
<!-- enable csrf protection -->
<csrf />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="b" password="123456" authorities="ROLE_ADMIN" />
<user name="a" password="a" authorities="ROLE_USER" /><!-- This user can not access /admin url -->
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
如果我使用用户a"登录并点击 URL http://localhost:8080/siteadmin/homepage/
它允许用户a"查看页面,尽管他的角色不是管理员
.但是当我尝试点击 http://localhost:8080/siteadmin
然后 Spring Security 工作正常,即.它显示访问被拒绝页面.我想为没有 Admin
角色的用户限制 /admin/*
URL.
If I logged in with user 'a' and hit URL http://localhost:8080/siteadmin/homepage/
it is allowing user 'a' to view the page although his role is not admin
. But when I try to hit http://localhost:8080/siteadmin
then Spring Security is working fine ie. its showing access denied page.
I want to restrict /admin/*
URLs for users who doesn't have Admin
role.
推荐答案
参见 AntPathMatcher:
映射使用以下规则匹配 URL:
The mapping matches URLs using the following rules:
?
匹配一个字符*
匹配零个或多个字符**
匹配路径中的零个或多个目录
?
matches one character*
matches zero or more characters**
matches zero or more directories in a path
一些例子:
com/t?st.jsp
- 匹配com/test.jsp
但也匹配com/tast.jsp
或com/txst.jsp
com/*.jsp
- 匹配com
目录中的所有.jsp
文件com/**/test.jsp
- 匹配com
路径下的所有test.jsp
文件org/springframework/**/*.jsp
- 匹配org/springframework
路径下的所有.jsp
文件org/**/servlet/bla.jsp
- 匹配org/springframework/servlet/bla.jsp
但也匹配org/springframework/testing/servlet/bla.jsp
和org/servlet/bla.jsp
com/t?st.jsp
- matchescom/test.jsp
but alsocom/tast.jsp
orcom/txst.jsp
com/*.jsp
- matches all.jsp
files in thecom
directorycom/**/test.jsp
- matches alltest.jsp
files underneath thecom
pathorg/springframework/**/*.jsp
- matches all.jsp
files underneath theorg/springframework
pathorg/**/servlet/bla.jsp
- matchesorg/springframework/servlet/bla.jsp
but alsoorg/springframework/testing/servlet/bla.jsp
andorg/servlet/bla.jsp
您的模式 /siteadmin***
缺少斜线.使用 /siteadmin/**
.
Your pattern /siteadmin***
misses slashes. Use /siteadmin/**
.
这篇关于Spring Security Intercept-url 模式不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!