Question

我很难解决一直在努力解决问题的问题。我刚刚将我的spring mvc web应用程序从3.0.5.RELEASE移动到3.1.0.RELEASE，并且发现spring security的行为与我配置的不同。

当我尝试加载登录页面时，我的错误就显现出来了。错误是文档类型错误... errors

但是在做了一些研究之后我才明白错误信息告诉我，我试图在我的登录页面中加载的css和js资源无法找到（或者我的情况是Spring安全性不允许访问它们）。

我已经整天尝试调整spring安全文件以允许访问css和js资源但无法正确配置。真的很感激一些帮助。

这是我的项目结构......

Tomcat Webapps>
   >ReportingManager
      >WEB-INF
         >pages
         >spring-application-context.xml
         >spring-security.xml
         >spring-database.xml
         >spring-resources.xml
         >spring-managers.xml  
      >resources
         >css
         >images
         >reports

这是我的web.xml ...

<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/spring-application-context.xml</param-value>
</context-param>

<!-- Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

这是我的spring-security.xml文件....

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/security
                           http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <security:global-method-security secured-annotations="enabled" />
    <http pattern="/**/*.css" security="none" />
    <http pattern="/**/*.js" security="none" />
    <http pattern="/**/*.png" security="none" />
    <http pattern="/**/*.jpg" security="none" />
    <http pattern="/**/*.gif" security="none" />    
    <security:http auto-config="true">

        <!-- Login and log out -->
        <security:form-login 
            login-page="/login" 
            default-target-url="/welcome"
            authentication-failure-url="/loginfailed" />
        <security:logout logout-success-url="/logout" />

    <intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_LEVEL7" />
    <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_LEVEL7" />
    <intercept-url pattern="/welcome" access="ROLE_LEVEL7" />
    <intercept-url pattern="/priceOverride" access="ROLE_LEVEL7" /> 

    </security:http>

    <!-- Authentication -->
    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider user-service-ref="userDetailsDao">
            <security:password-encoder hash="md5" />
        </security:authentication-provider>
    </security:authentication-manager>

</beans>

只是为了完整性，这里是我的应用程序上下文......

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans     
        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context-3.1.xsd">

    <!-- import XML fragments to use in the application context  -->
    <import resource="spring-database.xml" />
    <import resource="spring-resources.xml" />
    <import resource="spring-managers.xml" />
    <import resource="spring-security.xml" />

</beans>

还有我的mvc-dispatcher-servlet.xml ......

<context:component-scan base-package="com.myer.reporting.controller" />
<bean
    class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <property name="prefix">
        <value>/WEB-INF/pages/</value>
    </property>
    <property name="suffix">
        <value>.jsp</value>
    </property>
</bean>
<mvc:resources mapping="/resources/**" location="/resources/" />
<mvc:annotation-driven />

我对这篇长篇文章感到抱歉，但我想确保不遗漏任何有价值的信息。我知道这肯定是导致问题的春天安全因为当我在3.0.5.RELEASE时我可以在浏览器中点击css和javascript。但是当我尝试用3.1.0.RELEASE做同样的事情时，我无法击中css或js。但另一个令人困惑的事情是我没有得到403错误。相反，它只是让我在当前页面（login.htm）。

感谢您的帮助。虽然这会令人尴尬，但我希望我能错过一些容易解决的问题。

更新 - ＆gt;我尝试了下面的一些答案，但没有成功。但我确实设法从日志中获取了一些输出并附加了下面的输出，看看是否有人可以告诉可能会发生。我也根据你给我的帮助略微更新了原始配置。

2014-01-07 12:50:43,362 INFO  [SpringSecurityCoreVersion] - You are running with Spring Security Core 3.1.4.RELEASE
2014-01-07 12:50:43,362 INFO  [SecurityNamespaceHandler] - Spring Security 'config' module version is 3.1.4.RELEASE
2014-01-07 12:50:43,455 INFO  [HttpSecurityBeanDefinitionParser] - Checking sorted filter chain: [Root bean: class [org.springframework.security.web.context.SecurityContextPersistenceFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 200, Root bean: class [org.springframework.security.web.authentication.logout.LogoutFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 400, <org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0>, order = 800, Root bean: class [org.springframework.security.web.authentication.www.BasicAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1200, Root bean: class [org.springframework.security.web.savedrequest.RequestCacheAwareFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1300, Root bean: class [org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1400, Root bean: class [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1700, Root bean: class [org.springframework.security.web.session.SessionManagementFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1800, Root bean: class [org.springframework.security.web.access.ExceptionTranslationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1900, <org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0>, order = 2000]
2014-01-07 12:50:44,236 INFO  [DefaultSecurityFilterChain] - Creating filter chain: Ant [pattern='/**/*.css'], []
2014-01-07 12:50:44,283 INFO  [DefaultSecurityFilterChain] - Creating filter chain: Ant [pattern='/**/*.js'], []
2014-01-07 12:50:44,283 INFO  [DefaultSecurityFilterChain] - Creating filter chain: Ant [pattern='/**/*.png'], []
2014-01-07 12:50:44,283 INFO  [DefaultSecurityFilterChain] - Creating filter chain: Ant [pattern='/**/*.jpg'], []
2014-01-07 12:50:44,283 INFO  [DefaultSecurityFilterChain] - Creating filter chain: Ant [pattern='/**/*.gif'], []
2014-01-07 12:50:44,704 DEBUG [FilterSecurityInterceptor] - Validated configuration attributes
2014-01-07 12:50:44,704 INFO  [DefaultSecurityFilterChain] - Creating filter chain: org.springframework.security.web.util.AnyRequestMatcher@1, [org.springframework.security.web.context.SecurityContextPersistenceFilter@64dfeb, org.springframework.security.web.authentication.logout.LogoutFilter@a8c19b, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@13eb2bc, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@14865b1, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@c5575, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1be8bf1, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@d591a6, org.springframework.security.web.session.SessionManagementFilter@14d6015, org.springframework.security.web.access.ExceptionTranslationFilter@df39bc, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@147788d]
2014-01-07 12:50:44,720 INFO  [DefaultFilterChainValidator] - Checking whether login URL '/login' is accessible with your configuration
2014-01-07 12:50:44,720 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login'; against '/**/*.css'
2014-01-07 12:50:44,720 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login'; against '/**/*.js'
2014-01-07 12:50:44,720 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login'; against '/**/*.png'
2014-01-07 12:50:44,720 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login'; against '/**/*.jpg'
2014-01-07 12:50:44,720 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login'; against '/**/*.gif'
2014-01-07 12:50:44,720 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login'; against '/resources/**'
2014-01-07 12:50:44,720 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login'; against '/login'
2014-01-07 12:50:44,720 DEBUG [AffirmativeBased] - Voter: org.springframework.security.access.vote.RoleVoter@a3ce3f, returned: -1
2014-01-07 12:50:44,720 DEBUG [AffirmativeBased] - Voter: org.springframework.security.access.vote.AuthenticatedVoter@39b99d, returned: 1
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/**/*.css'
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/**/*.js'
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/**/*.png'
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/**/*.jpg'
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/**/*.gif'
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-01-07 12:52:00,472 DEBUG [HttpSessionSecurityContextRepository] - No HttpSession currently exists
2014-01-07 12:52:00,472 DEBUG [HttpSessionSecurityContextRepository] - No SecurityContext was available from the HttpSession: null. A new one will be created.
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 4 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2014-01-07 12:52:00,472 DEBUG [AnonymousAuthenticationFilter] - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
2014-01-07 12:52:00,472 DEBUG [SessionManagementFilter] - Requested session ID 5CB169513CF0935187728353885EB4EF is invalid.
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/resources/**'
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/login'
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/welcome'
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/priceoverride'
2014-01-07 12:52:00,472 DEBUG [FilterSecurityInterceptor] - Public object - authentication not attempted
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp reached end of additional filter chain; proceeding with original chain
2014-01-07 12:52:01,659 DEBUG [HttpSessionEventPublisher] - Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@818805]
2014-01-07 12:52:01,659 DEBUG [HttpSessionSecurityContextRepository] - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2014-01-07 12:52:01,659 DEBUG [ExceptionTranslationFilter] - Chain processed normally
2014-01-07 12:52:01,659 DEBUG [SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/**/*.css'
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/**/*.js'
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/**/*.png'
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/**/*.jpg'
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/**/*.gif'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-01-07 12:52:01,675 DEBUG [HttpSessionSecurityContextRepository] - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2014-01-07 12:52:01,675 DEBUG [HttpSessionSecurityContextRepository] - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@818805. A new one will be created.
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 4 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2014-01-07 12:52:01,675 DEBUG [AnonymousAuthenticationFilter] - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9054b1a2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1c07a: RemoteIpAddress: 127.0.0.1; SessionId: 6797458107289A1298C0F15240BC0CB4; Granted Authorities: ROLE_ANONYMOUS'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/resources/**'
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/login'
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/welcome'
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/priceoverride'
2014-01-07 12:52:01,675 DEBUG [FilterSecurityInterceptor] - Public object - authentication not attempted
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html reached end of additional filter chain; proceeding with original chain
2014-01-07 12:52:02,846 DEBUG [HttpSessionSecurityContextRepository] - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2014-01-07 12:52:02,846 DEBUG [ExceptionTranslationFilter] - Chain processed normally
2014-01-07 12:52:02,846 DEBUG [SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
2014-01-07 12:52:02,862 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/css/header.css'; against '/**/*.css'
2014-01-07 12:52:02,862 DEBUG [FilterChainProxy] - /resources/css/header.css has an empty filter list
2014-01-07 12:52:02,877 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/grid.locale-en.js'; against '/**/*.css'
2014-01-07 12:52:02,877 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery-1.7.1.min.js'; against '/**/*.css'
2014-01-07 12:52:02,877 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/grid.locale-en.js'; against '/**/*.js'
2014-01-07 12:52:02,877 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery-1.7.1.min.js'; against '/**/*.js'
2014-01-07 12:52:02,877 DEBUG [FilterChainProxy] - /resources/js/grid.locale-en.js has an empty filter list
2014-01-07 12:52:02,877 DEBUG [FilterChainProxy] - /resources/js/jquery-1.7.1.min.js has an empty filter list
2014-01-07 12:52:02,877 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery.metadata.js'; against '/**/*.css'
2014-01-07 12:52:02,877 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery.metadata.js'; against '/**/*.js'
2014-01-07 12:52:02,877 DEBUG [FilterChainProxy] - /resources/js/jquery.metadata.js has an empty filter list
2014-01-07 12:52:02,893 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery.jqgrid.min.js'; against '/**/*.css'
2014-01-07 12:52:02,893 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery.jqgrid.min.js'; against '/**/*.js'
2014-01-07 12:52:02,893 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery.validate.min.js'; against '/**/*.css'
2014-01-07 12:52:02,893 DEBUG [FilterChainProxy] - /resources/js/jquery.jqGrid.min.js has an empty filter list
2014-01-07 12:52:02,893 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery.validate.min.js'; against '/**/*.js'
2014-01-07 12:52:02,893 DEBUG [FilterChainProxy] - /resources/js/jquery.validate.min.js has an empty filter list
2014-01-07 12:52:02,909 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/messages.js'; against '/**/*.css'
2014-01-07 12:52:02,909 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/messages.js'; against '/**/*.js'
2014-01-07 12:52:02,909 DEBUG [FilterChainProxy] - /resources/js/messages.js has an empty filter list
2014-01-07 12:52:02,909 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery.hotkeys-0.8.js'; against '/**/*.css'
2014-01-07 12:52:02,909 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery.hotkeys-0.8.js'; against '/**/*.js'
2014-01-07 12:52:02,909 DEBUG [FilterChainProxy] - /resources/js/jquery.hotkeys-0.8.js has an empty filter list
2014-01-07 12:52:02,909 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/shortcut-keys.js'; against '/**/*.css'
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/constants.js'; against '/**/*.css'
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/validation.js'; against '/**/*.css'
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/common.js'; against '/**/*.css'
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/shortcut-keys.js'; against '/**/*.js'
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/constants.js'; against '/**/*.js'
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/validation.js'; against '/**/*.js'
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/common.js'; against '/**/*.js'
2014-01-07 12:52:02,924 DEBUG [FilterChainProxy] - /resources/js/shortcut-Keys.js has an empty filter list
2014-01-07 12:52:02,924 DEBUG [FilterChainProxy] - /resources/js/validation.js has an empty filter list
2014-01-07 12:52:02,924 DEBUG [FilterChainProxy] - /resources/js/common.js has an empty filter list
2014-01-07 12:52:02,924 DEBUG [FilterChainProxy] - /resources/js/constants.js has an empty filter list
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/pages/login.js'; against '/**/*.css'
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/pages/login.js'; against '/**/*.js'
2014-01-07 12:52:02,924 DEBUG [FilterChainProxy] - /resources/js/pages/login.js has an empty filter list
2014-01-07 12:52:02,940 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/css/yaml/yaml/core/js/yaml-focusfix.js'; against '/**/*.css'
2014-01-07 12:52:02,940 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/css/yaml/yaml/core/js/yaml-focusfix.js'; against '/**/*.js'
2014-01-07 12:52:02,940 DEBUG [FilterChainProxy] - /resources/css/yaml/yaml/core/js/yaml-focusfix.js has an empty filter list

Answer 1

尝试添加

<security:http pattern="/resources/**" security="none" />

高于您现有的配置，这将阻止任何Spring Security过滤器应用于匹配该模式的请求。

始终启用调试日志记录并检查日志以查看spring安全性以特定方式处理请求的原因。

Answer 2

尝试替换

的两个实例

IS_AUTHENTICATED_ANONYMOUSLY

与

IS_AUTHENTICATED_ANONYMOUSLY,ROLE_LEVEL7

如果不起作用，请尝试替换

IS_AUTHENTICATED_ANONYMOUSLY

与

ROLE_ANONYMOUS,ROLE_LEVEL7

我对IS_AUTHENTICATED_ANONYMOUSLY了解不多，但ROLE_ANONYMOUS和IS_AUTHENTICATED_ANONYMOUSLY之间的差异被解释为here。

您应该将ROLE_LEVEL7添加到ROLE_ANONYMOUS / IS_AUTHENTICATED_ANONYMOUSLY，因为经过身份验证的用户不属于内置角色ROLE_ANONYMOUS（并且/resources/目录是不适用于他们。）

如果两者都不起作用，请尝试暂时删除所有<security:intercept-url>标记，以查看您的应用是否正常运行，没有任何安全限制。

Answer 3

我对此有所帮助。问题是我需要在web.xml中更改以下内容......

<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>*.htm</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>*.html</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>*.rep</url-pattern>
</servlet-mapping>

停止spring security阻止访问我的资源文件夹

3 个答案: