Spring Security Docs(http://static.springsource.org/spring-security/site/docs/3.1.x/reference/taglibs.html#d0e6875)说明如下:
您可以使用安全标记库来授权URL访问,如下所示:
<sec:authorize url="/admin">只有有权向“/ admin”URL发送请求的用户才能看到此内容。</sec:authorize>
要使用此标记,您的应用程序上下文中还必须有一个WebInvocationPrivilegeEvaluator实例。 如果您使用的是命名空间,则会自动注册。
好的,现在......
我刚从Spring Security 3.0升级到3.1
在SS 3.0中,使用基于URL的访问的JSP标记工作得很好。当放入3.1罐时,它停止工作。
我正在使用Spring Security命名空间。因此,我应该拥有使JSP标记工作所需的一切,但它们没有。关于配置的其他所有内容都适用于我的应用程序。 唯一不起作用的是使用JSP标记进行基于URL的访问。
我的配置如下所示(针对SS 3.1进行了更新)。我错过了什么?
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:global-method-security secured-annotations="enabled"/>
<security:http pattern="/feed/**" create-session="stateless" entry-point-ref="digestEntryPoint" authentication-manager-ref="webAuthenticationManager" use-expressions="true">
<security:http-basic/>
<custom-filter ref="digestFilter" after="BASIC_AUTH_FILTER" />
</security:http>
<security:http name="webHttp" auto-config="true" use-expressions="true" authentication-manager-ref="webAuthenticationManager">
<!-- Restrict URLs based on role -->
<security:intercept-url pattern="/auth/login" access="permitAll" />
<security:intercept-url pattern="/auth/autologin" access="permitAll" />
<security:intercept-url pattern="/auth/logout" access="isAuthenticated()" />
<security:intercept-url pattern="/auth/loginSuccess" access="" /> <!-- empty access tag. The method checks for authenticated user -->
<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<!-- Override default login and logout pages -->
<security:form-login login-page="/auth/login"
login-processing-url="/auth/loginProcess"
default-target-url="/auth/loginSuccess"
authentication-failure-url="/auth/login?error=1" />
<security:logout logout-url="/auth/logout" logout-success-url="/" />
<security:remember-me key="remembermekey" user-service-ref="userDetailsService"/>
<security:session-management invalid-session-url="/auth/login"/>
</security:http>
<beans:bean id="digestFilter" class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
<beans:property name="userDetailsService" ref="userDetailsService" />
<beans:property name="authenticationEntryPoint" ref="digestEntryPoint" />
</beans:bean>
<beans:bean id="digestEntryPoint" class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
<beans:property name="realmName" value="Contacts Realm via Digest Authentication" />
<beans:property name="key" value="acegi" />
</beans:bean>
<security:authentication-manager id="webAuthenticationManager" alias="webAuthenticationManager">
<security:authentication-provider user-service-ref="userDetailsService">
<security:password-encoder hash="md5"/>
</security:authentication-provider>
</security:authentication-manager>
</beans:beans>