两个DispatcherServlets和DelegatingFilterProxy不能一起工作

时间:2012-09-04 14:26:24

标签: spring-mvc spring-security

我的应用程序中有两个DispatcherServlets。一个用于jsp服务并调度管理员的地址。

<servlet>
    <servlet-name>adminServlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/appServlet/adminServlet-context.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>adminServlet</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

第二个DispatcherServlet调度xml或json发送的地址。 

<servlet>
    <servlet-name>userServlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/appServlet/userServlet-context.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>userServlet</servlet-name>
    <url-pattern>/user/*</url-pattern>
</servlet-mapping>

还有DelegatingFilterProxy以确保安全性

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

安全上下文配置文件:

<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/login.do"
        access="permitAll" requires-channel="http" />
    <intercept-url pattern="/*"
        access="hasRole('ROLE_USER')" requires-channel="http" />
    <intercept-url pattern="/admin/*"
        access="hasRole('ROLE_ADMIN')" requires-channel="http" />
    <form-login login-page="/login.do"
        login-processing-url="/loginProcess" username-parameter="user"
        password-parameter="password" default-target-url="/admin" />
    <logout logout-url="/logout.do"
        invalidate-session="true" />
    <remember-me key="secCh4"
        token-validity-seconds="3600" data-source-ref="dataSource" />
    <session-management
        session-fixation-protection="newSession">
    </session-management>
    <intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />
</http>

由adminServlet调度的服务部分需要身份验证并且是安全的,但是userServlet重写的部分是完全不安全的,并且不需要任何身份验证。我不知道为什么,我将DelegatingFilterProxy中的url-pattern设置为/ *并且我也设置了

<intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />

有什么想法吗?

1 个答案:

答案 0 :(得分:2)

DelegatingFilterProxyDispatcherServlet无关。实际上,不需要 Spring MVC ,您可以使用任何其他框架,例如 Struts

根据您的规则<intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />,您指定拦截/user/list//user/4等网址,而不是/user/4/save。如果您想拦截以/user/开头的所有网址,请尝试使用<intercept-url pattern="/user/**" access="hasRole('ROLE_USER')" />。您可以多阅读here

无论如何,请记住intercept-url订单也很重要。

相关问题
最新问题