弹簧安全过滤链模式

时间:2015-06-18 18:57:39

标签: java spring-security

使用Spring Security时,您会将一系列过滤器映射到URL模式,以指定这些URL的安全性。这些模式可以包含通配符,例如

/foo/*/bar
/foo/**/bar

我找不到这些通配符的任何文档,但我的猜测是第一个模式匹配

/foo/baz/bar

但不是

/foo/baz/baz/bar

而第二种模式(/foo/**/bar)将匹配这两种模式

2 个答案:

答案 0 :(得分:0)

也许这段代码会有所帮助:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
    xmlns:p="http://www.springframework.org/schema/p"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/security
                           http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <security:http auto-config="true">

        <security:intercept-url pattern="/login.do"
            access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/logout.do"
            access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/fail2login.do"
            access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/json/*.do"
            access="IS_AUTHENTICATED_ANONYMOUSLY" />

        <security:intercept-url pattern="/*" access="ROLE_ADMIN" />
        <security:form-login login-page="/login.do"
            default-target-url="/home.do" authentication-failure-url="/fail2login.do" />

        <security:session-management>
            <security:concurrency-control
                max-sessions="1" />
        </security:session-management>
        <security:logout logout-success-url="/logout.do"
            delete-cookies="JSESSIONID" invalidate-session="true" />
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider>
            <security:jdbc-user-service
                data-source-ref="dataSource"
                users-by-username-query="select userName, password, status from User where userName=?"
                authorities-by-username-query="select us.userName, ur.userRoleName from User us, UserRole ur   
                where ur.userName =?  " />
        </security:authentication-provider>
    </security:authentication-manager>
</beans>

答案 1 :(得分:0)

你的假设是正确的。单个通配符*匹配url树的特定级别中的任何内容,而双通配符**匹配任何字符串模式。

所以

/foo/*/bar

会匹配

/foo/abc/bar and /foo/xyz/bar but not /foo/abc/xyz/bar


/foo/**/bar

会匹配以上所有内容。

相关问题
最新问题