Question

我正在使用Spring安全性，但我不太了解intercept-url的工作原理。这是我的spring security配置文件：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jdbc="http://www.springframework.org/schema/jdbc"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/jdbc
http://www.springframework.org/schema/jdbc/spring-jdbc-3.2.xsd">

    <!-- configuration des urls  -->
    <security:http auto-config="true">
        <security:intercept-url pattern="/*" access="ROLE_USER" />
        <security:form-login/>
    </security:http>


    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="authenticationProvider" />
    </security:authentication-manager>

    <bean id="authenticationProvider"
       class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <property name="userDetailsService" ref="userDetailsService" />
    </bean>

    <bean id="userDetailsService"
        class="com.nexthome.app.security.UserDetailsServiceImpl" />


</beans>

使用此配置，我无法在未经过身份验证的情况下进行访问。因此，当访问网址http://localhost:8080/nexthome时，会显示一个弹簧登录表单（http://localhost:8080/nexthome/spring_security_login）。但是当我改变为。我可以在不登录的情况下访问http://localhost:8080/nexthome/user/login。

我的目标是保护一些网址：

http://localhost:8080/nexthome  all people must access
http://localhost:8080/nexthome/login  all people must access ( how to display spring login form when trying to access the url?)
http://localhost:8080/nexthome/logout  access to ROLE_USER and ROLE_ADMIN

感谢您的帮助

Answer 1

我找到了问题的答案：

<security:http auto-config="true">
        <security:intercept-url pattern="/register"
            access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/login*"
            access="ROLE_USER" />
        <security:intercept-url pattern="/logout*"
            access="ROLE_USER,ROLE_ADMIN" />
        <security:form-login/>
 </security:http>

现在网址为     http:localhost:8080/nexthome可免费访问
    http:localhost:8080/nexthome/regsiter可免费访问
    http:localhost:8080/nexthome/login在访问ressource之前提示Spring Security登录表单     http:localhost:8080/nexthome/logout在访问ressource

之前提示Spring Security登录表单

Answer 2

security:intercept-url标记上的模式属性使用Ant paths。在此语法下，.除了文字.之外没有任何意义。因此，Spring安全性很可能无法识别该模式并被忽略。

如果您要对/nexthome/logout网址但不是/nexthome/login和/nexthome进行身份验证，则可以使用以下配置：

<security:http auto-config="true">
    <intercept-url pattern="/nexthome" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/nexthome/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <intercept-url pattern="/nexthome/logout" access="ROLE_USER,ROLE_ADMIN" />
    <security:form-login/>
</security:http>

Answer 3

在表单登录中使用像这样的登录页面

<securityform-login login-page="/login" >

如果未指定登录URL，Spring Security将自动在/创建登录URL spring_security_login。

出于注销目的使用

<intercept-url pattern="/nexthome/logout" access="ROLE_USER,ROLE_ADMIN" />

如何使用intercept-url模式和访问？

3 个答案: