Question

我正在使用spring-mvc 3.1.1.RELEASE和Spring-Security构建应用程序，我希望每个人都必须登录才能访问它，我也希望限制某些用户访问角色，我编辑了spring-security.xml，所以：

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context 
http://www.springframework.org/schema/context/spring-context-3.1.xsd">

<bean id="userDetailsService" class="it.dedagroup.cartesio.security.auth.UserDetailServiceImpl">
    <property name="accountService" ref="accountService"></property>
</bean>

<sec:http auto-config="true" use-expressions="true" create-session="always">
    <sec:http-basic />
    <sec:intercept-url pattern="/login" access="permitAll"/>
    <sec:intercept-url pattern="/failedLogin"  access="permitAll"/>
    <sec:intercept-url pattern="/resources/**" access="permitAll"/>
    <sec:intercept-url pattern="/error"  access="permitAll"/>
    <sec:intercept-url pattern="/accessDenied*" access="isAuthenticated()" />
    <sec:intercept-url pattern="/home*" access="isAuthenticated()" />
    <sec:intercept-url pattern="/utentiRicerca*" access="hasRole('ROLE_ADMIN')" />
    <sec:intercept-url pattern="/userEdit*" access="hasRole('ROLE_ADMIN')" />
    <sec:intercept-url pattern="/creaUser*" access="hasRole('ROLE_ADMIN')" />
    <sec:intercept-url pattern="/detailsUtente*" access="isAuthenticated()" />
    <sec:intercept-url pattern="/modificaAccount*" access="isAuthenticated()" />
    <sec:intercept-url pattern="/serverRicerca*" access="hasRole('ROLE_ADMIN')" />
    <sec:intercept-url pattern="/editServer*" access="hasRole('ROLE_ADMIN')" />
    <sec:intercept-url pattern="/prepareListaSearch*" access="hasRole('ROLE_ADMIN')" />
    <sec:intercept-url pattern="/prepareListaEdit*" access="hasRole('ROLE_ADMIN')" />
    <sec:intercept-url pattern="/groupInitSearch*" access="hasRole('ROLE_ADMIN')" />
    <sec:intercept-url pattern="/groupEdit*" access="hasRole('ROLE_ADMIN')" />
    <sec:intercept-url pattern="/listaUpdate*" access="hasRole('ROLE_ADMIN')" />
    <sec:intercept-url pattern="/upload*" access="isAuthenticated()" />
    <sec:intercept-url pattern="/emailRicerca*" access="hasRole('ROLE_ADMIN')" />
    <sec:intercept-url pattern="/prepareEditCasella*" access="hasRole('ROLE_ADMIN')" />
    <sec:intercept-url pattern="/acl*" access="hasRole('ROLE_ADMIN')" />
    <sec:intercept-url pattern="/initDaemons*" access="hasAnyRole('ROLE_ADMIN','ROLE_SYSTEM')" />
    <sec:intercept-url pattern="/mailbox*" access="hasAnyRole('ROLE_OPER','ROLE_USER')" />
    <sec:intercept-url pattern="/emailBody*" access="hasAnyRole('ROLE_OPER','ROLE_USER')" />
    <sec:intercept-url pattern="/pecBody*" access="hasAnyRole('ROLE_OPER','ROLE_USER')" />
    <sec:intercept-url pattern="/composeEmail*" access="hasRole('ROLE_OPER')" />

    <sec:form-login  login-page="/login"
        always-use-default-target="true"
        default-target-url="/home"
        authentication-failure-url="/failedLogin" />

    <sec:logout invalidate-session="true" logout-success-url="/logout" delete-cookies="true" />

    <sec:session-management invalid-session-url="/login" session-authentication-error-url="/failedLogin?sessionExpiredDuplicateLogin=true" >
        <sec:concurrency-control max-sessions="1" expired-url="/failedLogin" error-if-maximum-exceeded="false" />
    </sec:session-management>
</sec:http>

<sec:authentication-manager>
    <sec:authentication-provider user-service-ref="userDetailsService">
        <sec:password-encoder ref="stdEncoder"></sec:password-encoder>
    </sec:authentication-provider>
</sec:authentication-manager>

但如果我删除了根网址的seurity映射，它会返回一个找不到页面的错误，如果我以这种方式报复安全性：

<sec:intercept-url pattern="/**" access="isAuthenticated()" />

它在登录后将所有请求包装好，并在我直接在浏览器栏上写入时忽略我为子url指定的规则。

例如，我只需要＆＃34; ROLE_ADMIN＆＃34;可以访问url＆＃34; / utentiRicerca＆＃34;上的用户搜索，但如果我使用＆＃34; ROLE_USER＆＃34;我在浏览器网址上写道＆＃34; http://myhost.it:8080/myApp/utentiRicerca＆＃34;它没有给我＆＃34; http 403＆＃34;因为我应该担任这个角色。那么我能为它做些什么呢？

Answer 1

/ **模式将匹配任何网址，因此始终可以访问所有链接。如果你把它放在第一位，其他链接甚至不会被检查，如果你把它放在最后，将检查其他模式，但即使它们失败，当检查时，用户仍将通过安全性

如果您想限制某些网址，可以尝试更改您的网址结构，例如，在＆＃34; secure＆＃34;下设置任何为角色访问权限而设置的网址。网址

例如，你可以使用以下链接和＃34; secure＆＃34;字首：：

secured/prepareListaEdit

并使用这样的图案保护它们：

<sec:intercept-url pattern="secured/prepareListaEdit/* access="hasRole('ROLE_ADMIN')" />

然后添加一个模式而不是/ **使用/ *来访问根路径上的其他链接

<security:intercept-url pattern="/*" access="isAuthenticated()" />

（因为使用/ **会匹配所有子路径，包括＆＃34; secure＆＃34;）

Spring mvc和基于安全角色的限制问题

1 个答案: