Spring Security Intercept-url 模式不起作用 [英] Spring Security Intercept-url pattern not working

问题描述

我的应用程序可以有以下 URL:

My application can have below URLs:

/siteadmin/homepage/
/siteusers/customer/createCustomer

下面是我的spring-security.xml:

<beans:beans> 
    <http auto-config="true">
        <intercept-url pattern="/siteusers***" access="isAuthenticated()" />
        <!-- <intercept-url pattern="siteusers/home/*" access="hasRole('USER') OR hasRole('ADMIN')" /> -->
        <intercept-url pattern="/siteadmin***" access="hasRole('ROLE_ADMIN')" />`enter code here`
        <form-login login-page="/siteusers/loginprocess/login" default-target-url="/siteusers/home/homepage"
            login-processing-url="/siteusers/loginprocess/login"
            authentication-failure-url="/siteusers/loginprocess/login?error" username-parameter="username"
            password-parameter="password" />
        <logout logout-success-url="/siteusers/loginprocess/login?logout" logout-url="/siteusers/loginprocess/logout" />
        <!-- enable csrf protection -->
        <csrf />
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="b" password="123456" authorities="ROLE_ADMIN" />
                <user name="a" password="a" authorities="ROLE_USER" /><!-- This user can not access /admin url -->
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>

如果我使用用户a"登录并点击 URL http://localhost:8080/siteadmin/homepage/ 它允许用户a"查看页面，尽管他的角色不是管理员.但是当我尝试点击 http://localhost:8080/siteadmin 然后 Spring Security 工作正常，即.它显示访问被拒绝页面.我想为没有 Admin 角色的用户限制 /admin/* URL.

If I logged in with user 'a' and hit URL http://localhost:8080/siteadmin/homepage/ it is allowing user 'a' to view the page although his role is not admin. But when I try to hit http://localhost:8080/siteadmin then Spring Security is working fine ie. its showing access denied page. I want to restrict /admin/* URLs for users who doesn't have Admin role.

推荐答案

参见 AntPathMatcher:

映射使用以下规则匹配 URL:

The mapping matches URLs using the following rules:

• ? 匹配一个字符
• * 匹配零个或多个字符
• ** 匹配路径中的零个或多个目录

• ? matches one character
• * matches zero or more characters
• ** matches zero or more directories in a path

一些例子:

• com/t?st.jsp - 匹配 com/test.jsp 但也匹配 com/tast.jsp 或 com/txst.jsp
• com/*.jsp - 匹配 com 目录中的所有 .jsp 文件
• com/**/test.jsp - 匹配 com 路径下的所有 test.jsp 文件
• org/springframework/**/*.jsp - 匹配 org/springframework 路径下的所有 .jsp 文件
• org/**/servlet/bla.jsp - 匹配 org/springframework/servlet/bla.jsp 但也匹配 org/springframework/testing/servlet/bla.jsp 和 org/servlet/bla.jsp

• com/t?st.jsp - matches com/test.jsp but also com/tast.jsp or com/txst.jsp
• com/*.jsp - matches all .jsp files in the com directory
• com/**/test.jsp - matches all test.jsp files underneath the com path
• org/springframework/**/*.jsp - matches all .jsp files underneath the org/springframework path
• org/**/servlet/bla.jsp - matches org/springframework/servlet/bla.jsp but also org/springframework/testing/servlet/bla.jsp and org/servlet/bla.jsp

您的模式 /siteadmin*** 缺少斜线.使用 /siteadmin/**.

Your pattern /siteadmin***misses slashes. Use /siteadmin/**.

这篇关于Spring Security Intercept-url 模式不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！