我的spring-security配置:
<http request-matcher="regex">
<anonymous granted-authority="ROLE_ANONYMOUS"/>
<intercept-url pattern="/admin*" access="ROLE_ADMIN" />
<intercept-url pattern="/consultant*" access="ROLE_CONSULTANT" />
<intercept-url pattern="/logout*" access="ROLE_ADMIN,ROLE_CONSULTANT"/>
<intercept-url pattern="/chat*" access="ROLE_CONSULTANT,ROLE_ANONYMOUS"/>
<intercept-url pattern="/*" access="ROLE_ANONYMOUS" />
<form-login login-page="/login" default-target-url="/consultant"
authentication-failure-url="/login?error=true"
username-parameter="username"
password-parameter="password"
login-processing-url="/login-check"/>
<logout logout-url="/logout" logout-success-url="/" delete-cookies="JSESSIONID" />
<session-management>
<concurrency-control max-sessions="1" session-registry-alias="sessionRegistry" error-if-maximum-exceeded="true"/>
</session-management>
</http>
我的应用程序中有三个角色:ROLE_ADMIN,ROLE_CONSULTANT和ROLE_ANONYMOUS。我想区分它们之间的访问,例如,ROLE_ADMIN无法打开/顾问。
但是我遇到了登录ROLE_CONSULTANT的问题,它打开了一些/聊天链接:在/顾问页面上他被登录,在转发到/ chat页面后他变成匿名。
我在调试日志中找到的Theese系列:
chat?action=startChat at position 3 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG [qtp1591019083-16] (SessionRegistryImpl.java:164) - Removing principal ...
所以问题是为什么会发生这种情况,我该如何避免呢?
P.S。:我使用spring-security 3.2.0RC2。