指定方法</intercept-url>时,<intercept-url>中的Spring Security奇怪

时间:2009-09-03 18:05:26

标签: java spring-security

我一直在玩Spring Security,注意到以下奇怪之处。

当我在我的安全上下文XML中指定<http>块时。

<http>
    <http-basic/>

    <port-mappings>
        <port-mapping http="8080" https="8181"/>
    </port-mappings>

    <intercept-url pattern="/url1**" access="ROLE_ROLE1" requires-channel="https"/>
    <intercept-url pattern="/url2**" access="ROLE_ROLE2"/>
    <intercept-url pattern="/url3**" access="ROLE_ROLE3" />
    <!-- <intercept-url pattern="/**" access="ROLE_ADMIN" />
</http>

当我使用浏览器点击各种URL时,所有网址似乎都会弹出HTTP基本身份验证。

这很好,也是我的预期,但是当我将一个方法参数添加到拦截网址中的一个时,如下所示:

<http>
    <http-basic/>

    <port-mappings>
        <port-mapping http="8080" https="8181"/>
    </port-mappings>

    <intercept-url pattern="/url1**" access="ROLE_ROLE1" requires-channel="https"/>
    <intercept-url pattern="/url2**" access="ROLE_ROLE2" method="GET"/>
    <intercept-url pattern="/url3**" access="ROLE_ROLE3" />
    <!-- <intercept-url pattern="/**" access="ROLE_ADMIN" />
</http>

除了我明确设置方法(/url2)之外的所有网址都会关闭基本身份验证。

它是如何工作的,因为它对我来说似乎有点傻。这是一个错误吗?

1 个答案:

答案 0 :(得分:2)

现在我已经使用https测试了 url1 ,但它确实有效。我被重定向,然后登录对话框出现了。
将日志记录级别设置为DEBUG,打印:

DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:196 - Converted URL to lowercase, from: '/url1/'; to: '/url1/'  
DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:224 - Candidate is: '/url1/'; pattern is /url2**; matched=false  
DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:224 - Candidate is: '/url1/'; pattern is /url1**; matched=true  
DEBUG AbstractSecurityInterceptor,http-8443-1:250 - Secure object: FilterInvocation: URL: /url1/; ConfigAttributes: [ROLE_USER]
DEBUG XmlWebApplicationContext,http-8443-1:244 - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@17af46e]: org.springframework.security.event.authorization.AuthenticationCredentialsNotFoundEvent[source=FilterInvocation: URL: /url1/]
DEBUG ExceptionTranslationFilter,http-8443-1:150 - Authentication exception occurred; redirecting to authentication entry point

这是配置:

<http>
  <http-basic/>
  <port-mappings>
     <port-mapping http="8080" https="8443"/>
  </port-mappings>
  <intercept-url pattern="/url1**" access="ROLE_USER" requires-channel="https"/>
  <intercept-url pattern="/url2**" access="ROLE_TELLER" method="GET"/>
  <intercept-url pattern="/url3**" access="ROLE_SUPERVISOR" />      
</http>
相关问题
最新问题