是什么在Spring拦截URL配置ROLE_USER和ROLE_ANONYMOUS之间的区别？ [英] What is the difference between ROLE_USER and ROLE_ANONYMOUS in a Spring intercept url configuration?

问题描述

是什么在Spring拦截URL配置ROLE_USER和ROLE_ANONYMOUS之间的差异，如下面的例子？

 ＆LT; HTTP自动配置=false的访问决策管理-REF =的AccessDecisionManager
    使用-EX pressions =真正的＆GT;
    ＆LT;拦截的URL模式=/管理/ **访问=hasRole（'ROLE_ANONYMOUS'）
        需要渠道=HTTP/＆GT;
    ＆LT;拦截的URL模式=/登录/ **访问=hasRole（'ROLE_ANONYMOUS'）
        需要渠道=$ {} application.secureChannel/＆GT;
    ＆LT;拦截的URL模式=/故障/ **访问=hasRole（'ROLE_ANONYMOUS'）
        需要渠道=HTTP/＆GT;
    ＆LT;拦截的URL模式=/注册/ **访问=hasRole（'ROLE_ANONYMOUS'）
        需要渠道=$ {} application.secureChannel/＆GT;
    ＆LT;拦截的URL模式=/访问=hasRole（'ROLE_ANONYMOUS'）
        需要渠道=HTTP/＆GT;
    ＆LT;拦截的URL模式=/ **访问=hasRole（'ROLE_USER'）
        需要渠道=HTTP/＆GT;
    ＆LT;形式登录的login-page =/登录登录处理-URL =/登录/提交
        认证失败-URL =/登录/错误/＆GT;
    ＆LT;注销注销-URL =/注销/＆GT;
＆LT; / HTTP＆GT;
 

解决方案

ROLE_ANONYMOUS被分配到一个未认证用户（匿名）用户的默认角色时，配置使用Spring Security的<一个href=\"http://static.springsource.org/spring-security/site/docs/3.1.x/reference/anonymous.htm\">\"anonymous验证过滤。这是默认启用的，但是，它可能是更清楚，如果你使用前pression的 isAnonymous（）的替代，它具有相同的含义。

ROLE_USER有，除非你将此角色分配给您的用户，当他们进行身份验证（你是负责加载角色（机构）身份验证的用户的）没有任何意义。这并不是说内置在Spring Security的基础设施的名称。在给定的例子，presumably该角色分配给身份验证的用户。

What is the difference between ROLE_USER and ROLE_ANONYMOUS in a Spring intercept url configuration such as the example below?

<http auto-config="false" access-decision-manager-ref="accessDecisionManager"
    use-expressions="true">
    <intercept-url pattern="/admin/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="http" />
    <intercept-url pattern="/login/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="${application.secureChannel}" />
    <intercept-url pattern="/error/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="http" />
    <intercept-url pattern="/register/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="${application.secureChannel}" />
    <intercept-url pattern="/" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="http" />
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')"
        requires-channel="http" />
    <form-login login-page="/login" login-processing-url="/login/submit"
        authentication-failure-url="/login/error" />
    <logout logout-url="/logout" />
</http>

解决方案

ROLE_ANONYMOUS is the default role assigned to an unauthenticated (anonymous) user when a configuration uses Spring Security's "anonymous authentication" filter . This is enabled by default. However, it is probably clearer if you use the expression isAnonymous() instead, which has the same meaning.

ROLE_USER has no meaning unless you assign this role to your users when they are authenticated (you are in charge of loading the roles (authorities) for an authenticated user). It isn't a name that is built in to Spring Security's infrastructure. In the given example, presumably that role is assigned to an authenticated user.

这篇关于是什么在Spring拦截URL配置ROLE_USER和ROLE_ANONYMOUS之间的区别？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！