这是我的Spring Security配置:
<http auto-config="true" use-expressions="true">
<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login"
authentication-failure-url="/login?login_error=t" />
<logout logout-url="/resources/j_spring_security_logout"/>
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<intercept-url pattern="/monitoring" access="hasRole('ROLE_ADMIN')" />
.......
我添加:<intercept-url pattern="/monitoring" access="hasRole('ROLE_ADMIN')"以避免输入该部分..但我可以在loggin之后进入监视“普通”用户......
为什么?
答案 0 :(得分:3)
<intercept-url .../>的顺序很重要。由于新的intercept-url pattern="/monitoring"位于pattern="/**"之后,它会被忽略,因为所有用于监控的网址都已由<intercept-url pattern="/**" access="isAuthenticated()" />处理。
你应该写:
<intercept-url pattern="/monitoring" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/**" access="isAuthenticated()" />
一般来说,intercept-url pattern="/**"必须始终为最后