在spring安全拦截URL配置中,如果我为特定路径(例如ROLE_USER)定义了特定角色,则只有在用户具有该权限的情况下,该路径才可以访问.这是有道理的,但是如果我将角色设置为ROLE_ANONYMOUS,即使用户经过身份验证(例如,当用户具有ROLE_USER权限时),<intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS"/>也不能访问吗?但这不会发生.
In the spring security intercept-url config, if I define a particular role for a particular path, say ROLE_USER, that path should be accessible only if the user has that authority. That makes sense, but if I set the role as ROLE_ANONYMOUS, <intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS"/> shouldn't it be accessible even when the user is authenticated, say when the user has an authority ROLE_USER? But that doesn't happen.
这是日志
Checking match of request : '/resources/js/test.js'; against '/resources/**' Secure object: FilterInvocation: URL: /resources/js/test.js; Attributes: [ROLE_ANONYMOUS] Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken*********************************************** Voter: org.springframework.security.access.vote.RoleVoter@1712310, returned: -1然后我得到一个访问被拒绝的异常.我知道如果在我的Http配置中添加<intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS,ROLE_USER"/>,它会很好地工作.但是在上述情况下,是要那样吗还是我做错了事?
And then i get an access denied exception.I know it works fine if i add <intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS,ROLE_USER"/> in my Http config. But in the above case, is it meant to be like that or am I doing something wrong.
推荐答案这是正确的书写方式:
<intercept-url pattern="/resources/**" access="ROLE_ANONYMOUS,ROLE_USER"/>您可以检查有关匿名身份验证的官方参考手册章节,您将看到以下配置:
You can check the official reference manual chapter about annonymous authentication where you'll see following configuration:
<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager"/> <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/> <property name="securityMetadata"> <security:filter-security-metadata-source> <security:intercept-url pattern='/index.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/> <security:intercept-url pattern='/hello.htm' access='ROLE_ANONYMOUS,ROLE_USER'/> <security:intercept-url pattern='/logoff.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/> <security:intercept-url pattern='/login.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/> <security:intercept-url pattern='/**' access='ROLE_USER'/> </security:filter-security-metadata-source>" + </property> </bean>您对ROLE_ANONYMOUS和ROLE_USER的理解有点错误,请在> Spring Security的开发人员之一Luke Taylor的答案中了解有关它们的更多信息. .
Your understanding of ROLE_ANONYMOUS and ROLE_USER is a bit wrong, read more about them in this answer by Luke Taylor, one of Spring Security's devs.
更多推荐
Spring Security拦截URL角色
发布评论