Spring Security 拦截器 URL 不起作用
我在一个项目中使用 Spring Security 3.0.3。
该项目有 3 个区域,应该可供不同的人访问
因此我创建了以下结构 - WEB-INF/(对于所有人=不受保护) - WEB-INF/app(对于用户= ROLE_USER) - WEB-INF/app/admin.jsf(对于管理员= ROLE_ADMIN)
admin.jsf 位于同一目录中,不幸的是我无法更改。
我的用户信息是从数据库加载的。
它们的定义如下:
<bean id="preAuthenticatedProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/> <security:http entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" >
<security:custom-filter position="PRE_AUTH_FILTER" ref="MyFilter"/>
<security:intercept-url pattern="/app/admin.jsf" access="ROLE_ADMIN" />
<security:intercept-url pattern="/app/**" access="ROLE_USER" />
<security:intercept-url pattern="/**" access="" />
</security:http>
现在,一切都很好。用户数据已加载,角色根据数据库设置,但不幸的是,
- 所有人都可以访问未受保护的区域(没关系)
- 管理员可以看到每个页面(因为他们也是 ROLE_USER)
- 角色用户无法进入应用程序中的页面
有人有提示吗我做错了什么? 我正在本地测试它,浏览器网址为: http://localhost:8080/my_app/app/ admin.jsf
到目前为止,我能够确定 spring security 忽略我的角色的问题根源。拦截 url 的模式有效,不幸的是我定义的角色不起作用。
我终于能够找出问题所在:一位同事检查了第二个配置文件,而我修改了错误的配置文件。 grml
I am using Spring Security 3.0.3 for a project.
This project has 3 areas which should be accessible for different people
Therefore I create the following structure
- WEB-INF/ (for everybody = unprotected)
- WEB-INF/app (for users = ROLE_USER)
- WEB-INF/app/admin.jsf (for admins = ROLE_ADMIN)
That admin.jsf is in the same directory I can't change unfortunatly.
My user info is loaded from the database.
They are defined like:
<bean id="preAuthenticatedProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/> <security:http entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" >
<security:custom-filter position="PRE_AUTH_FILTER" ref="MyFilter"/>
<security:intercept-url pattern="/app/admin.jsf" access="ROLE_ADMIN" />
<security:intercept-url pattern="/app/**" access="ROLE_USER" />
<security:intercept-url pattern="/**" access="" />
</security:http>
Now, everything works great. Userdata is loaded, roles are set according to the DB but unfortunatly
- the unprotected area is accessable for all (thats ok)
- admins can see every page (since they are ROLE_USER too)
- role users CAN NOT enter the pages in app
Does anyone have a hint what I did wrong?
I am testing it locally and the browser url is: http://localhost:8080/my_app/app/admin.jsf
So far I was able to identify source of the problem that spring security ignores my roles. The patterns of the intercept urls are working, unfortunatly my defined roles don't.
I finally was able to identify the problem: a colleague checked in a second config file and I modiefied the wrong one. grml
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
问题是配置中的模式是 URL 模式,这不是 jsf 文件或应用程序内的位置。
因此,如果您不通过以下方式访问此 jsf:
http://://app/admin.jsf 那么您只需更正 URL 模式到你真正使用的网址。The problem is that the patterns in the configuration are URL patterns, this is NOT the location of your jsf files or within the application.
So if you are not accessing this jsf via:
http://<server>:<port>/<ApplicationName>/app/admin.jsfthen you just need to correct the URL pattern to the url you really use.