spring security intercept-url对我不起作用

时间:2012-06-04 11:43:25

标签: java hibernate spring-security

在我的情况下,我希望只有具有ROLE_ADMIN的用户才能访问特定的URL,但这不起作用,即使用户没有ROLE作为ROLE_ADMIN,用户也能看到特定于管理员的页面。 这是spring-security .xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:sec="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:aop="http://www.springframework.org/schema/aop"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="
        http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
        http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd
        http://www.springframework.org/schema/lang http://www.springframework.org/schema/lang/spring-lang.xsd
        http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
        http://www.springframework.org/schema/mvc
        http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
        http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-3.1.xsd
        ">



    <sec:global-method-security pre-post-annotations="enabled" />

    <sec:http pattern="/css/**" security="none"/>
    <sec:http pattern="/images/**" security="none"/>
    <sec:http pattern="/js/**" security="none"/>
    <sec:http pattern="/index.jsp" security="none"/>
    <!-- <sec:http pattern="/app/addNewUser.json" security="none"/> -->
    <sec:http pattern="/login.jsp" security="none"/>
    <sec:http use-expressions="true">
        <!--
             Allow all other requests. In a real application you should
             adopt a whitelisting approach where access is not allowed by default
          -->
        <sec:intercept-url pattern="/**" access="isAuthenticated()" />
        <sec:form-login login-page='/login.jsp'
          authentication-failure-url="/login.jsp?login_error=1"
          default-target-url="/index.jsp" />
        <sec:logout logout-success-url="/login.jsp" delete-cookies="JSESSIONID"/>
        <sec:remember-me />
 <sec:intercept-url pattern="/**/referencemetadatahome*" access="hasRole('ROLE_ADMIN')" />
    </sec:http>

    <bean id="myUserService" class="com.aa.ceg.proj.mars.serviceimpl.UserServiceImpl" />
    <sec:authentication-manager>
    <sec:authentication-provider user-service-ref="myUserService" />
    </sec:authentication-manager>
<bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/>
</beans>

这是web.xml;

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
  <display-name>Spring3MVC</display-name>
  <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring-rootcontext.xml
            /WEB-INF/spring-security.xml
        </param-value>
    </context-param>
       <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping> 

    <!--
      - Loads the root application context of this web app at startup.
    -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>


  <welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
  </welcome-file-list>

  <servlet>
    <servlet-name>spring</servlet-name>
    <servlet-class>
            org.springframework.web.servlet.DispatcherServlet
        </servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>spring</servlet-name>
    <url-pattern>/app/*</url-pattern>
  </servlet-mapping>
 <filter>
       <filter-name>CAS Single Sign Out Filter</filter-name>
       <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
    </filter>
 <filter-mapping>
       <filter-name>CAS Single Sign Out Filter</filter-name>
       <url-pattern>/*</url-pattern>
    </filter-mapping>
    <listener>
        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
    </listener>

</web-app>

即使用户没有ROLE_ADMIN角色,我也可以访问/app/referencemetadatahome.html。可能是什么问题?

1 个答案:

答案 0 :(得分:5)

Ok ..只需重新排序弹簧安全拦截器-url以使其工作

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:sec="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:aop="http://www.springframework.org/schema/aop"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="
        http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
        http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd
        http://www.springframework.org/schema/lang http://www.springframework.org/schema/lang/spring-lang.xsd
        http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
        http://www.springframework.org/schema/mvc
        http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
        http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-3.1.xsd
        ">



    <sec:global-method-security pre-post-annotations="enabled" />

    <sec:http pattern="/css/**" security="none"/>
    <sec:http pattern="/images/**" security="none"/>
    <sec:http pattern="/js/**" security="none"/>
    <sec:http pattern="/index.jsp" security="none"/>
    <!-- <sec:http pattern="/app/addNewUser.json" security="none"/> -->
    <sec:http pattern="/login.jsp" security="none"/>
    <sec:http use-expressions="true">
 <sec:intercept-url pattern="/**/referencemetadatahome*" access="hasRole('ROLE_ADMIN')" />
        <!--
             Allow all other requests. In a real application you should
             adopt a whitelisting approach where access is not allowed by default
          -->
        <sec:intercept-url pattern="/**" access="isAuthenticated()" />
        <sec:form-login login-page='/login.jsp'
          authentication-failure-url="/login.jsp?login_error=1"
          default-target-url="/index.jsp" />
        <sec:logout logout-success-url="/login.jsp" delete-cookies="JSESSIONID"/>
        <sec:remember-me />

    </sec:http>

    <bean id="myUserService" class="com.aa.ceg.proj.mars.serviceimpl.UserServiceImpl" />
    <sec:authentication-manager>
    <sec:authentication-provider user-service-ref="myUserService" />
    </sec:authentication-manager>
<bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/>
</beans>