Spring Security拦截URL角色
问题内容:
在spring安全拦截URL配置中,如果我为特定路径(例如ROLE_USER)定义特定角色,则只有在用户具有该权限的情况下,该路径才可以访问。这样做是有道理的,但是如果我将角色设置为ROLE_ANONYMOUS,<intercept- url pattern="/resources/**" access="ROLE_ANONYMOUS"/>即使用户经过身份验证(例如,当用户具有权限ROLE_USER时)也不能访问该角色?但这不会发生。
这是日志
Checking match of request : '/resources/js/test.js'; against '/resources/**'
Secure object: FilterInvocation: URL: /resources/js/test.js; Attributes: [ROLE_ANONYMOUS]
Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken***********************************************
Voter: org.springframework.security.access.vote.RoleVoter@1712310, returned: -1
然后我得到一个拒绝访问的异常<intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS,ROLE_USER"/>。我知道如果我在我的Http配置中添加它就可以正常工作。但是在上述情况下,是要那样吗还是我做错了。
问题答案:
这是正确的书写方式:
<intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS,ROLE_USER"/>
您可以查看有关匿名身份验证的官方参考手册章节,在其中您会看到以下配置:
<bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
<property name="securityMetadata">
<security:filter-security-metadata-source>
<security:intercept-url pattern='/index.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/>
<security:intercept-url pattern='/hello.htm' access='ROLE_ANONYMOUS,ROLE_USER'/>
<security:intercept-url pattern='/logoff.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/>
<security:intercept-url pattern='/login.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/>
<security:intercept-url pattern='/**' access='ROLE_USER'/>
</security:filter-security-metadata-source>" +
</property>
</bean>
