我试图让http-basic(无状态)和http与form-login一起工作,但到目前为止没有运气。基于this question我想要实现的目标似乎是可能的。 (目前在Spring Security版本3.2.3上)。这就是我得到的:
<http pattern="/service/**" create-session="stateless">
<intercept-url pattern="/test/**" access="ROLE_TEST" />
<intercept-url pattern="/remote/**" access="ROLE_REMOTE" />
<http-basic />
</http>
<http>
<intercept-url pattern="/something/**" access="ROLE_STH" />
<intercept-url pattern="/somethignelse/**" access="ROLE_STHELSE" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<form-login/>
</http>
<authentication-manager alias="authMgrDefault">
<authentication-provider>
<jdbc-user-service
data-source-ref="dataSource"
users-by-username-query="select username, password, is_enabled as enabled
from sys_user
where username = ?"
authorities-by-username-query="select u.username, r.authority
from sys_user u, sys_user_role r
where u.id = r.sys_user_id and u.username = ?" />
</authentication-provider>
</authentication-manager>
使用此配置,只有后一个http似乎可以工作(我得到登录页面)。第一个似乎是在没有任何身份验证的情况下自由传递URL(如同匿名) 我错过了什么..?
答案 0 :(得分:1)
intercept-url模式应该是来自上下文根的整个路径:
<http pattern="/service/**" create-session="stateless">
<intercept-url pattern="/service/test/**" access="ROLE_TEST" />
<intercept-url pattern="/service/remote/**" access="ROLE_REMOTE" />
<http-basic />
</http>