Jav*_*avi 8 spring spring-security
最近,Spring Security给了机会配置几个<http>元素.我正在尝试为映射模式/ foo/*的所有URL设置配置,为其余映射设置另一个配置.现在我有两个登录页面,一个在/ login中设置,另一个在/ foo登录中.所以我希望映射/ foo/**的所有URL都针对/ foo/login进行登录.
我创建了一个类似下面的配置,但是当我输入一个像/ foo/something(不应该允许匿名用户)的URL而不是去/ foo/login时,它会转到/ login.
Spring Security版本是3.1.0.RC1.对可能发生的事情有什么看法?
谢谢.
<sec:http auto-config="true" pattern="/foo/**" entry-point-ref="ajaxAuthenticationEntryPoint">
<sec:intercept-url pattern="/foo/login" access="ROLE_ANONYMOUS,ROLE_BASIC,ROLE_ADMIN" />
...
<!-- other sec:intercepts for some /foo/* urls -->
...
<sec:intercept-url pattern="/foo/**" access="ROLE_BASIC" />
<sec:custom-filter before="SECURITY_CONTEXT_FILTER" ref="basicProcessingFilter" />
<sec:form-login login-page="/foo/login" authentication-failure-url="/foo/login" default-target-url="/index" always-use-default-target="true" />
<sec:session-management>
<sec:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/login" />
</sec:session-management>
</sec:http>
<sec:http auto-config="true" pattern="/**" entry-point-ref="ajaxAuthenticationEntryPoint">
<!-- some sec:intercepts for some urls -->
...
<sec:intercept-url pattern="/**" access="ROLE_ADMIN" />
<sec:custom-filter before="SECURITY_CONTEXT_FILTER" ref="basicProcessingFilter" />
<sec:form-login login-page="/login" default-target-url="/index" always-use-default-target="true" />
<sec:session-management>
<sec:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/login" />
</sec:session-management>
</sec:http>
只是一个猜测。难道这些图案是相加的吗?
所以有如下注释:
<sec:http auto-config="true" pattern="/foo/**" entry-point-ref="ajaxAuthenticationEntryPoint">
<sec:intercept-url pattern="/foo/**" access="ROLE_BASIC" />
</sec:http>
拦截/foo/foo/**。这将导致foo/something请求被您的第二个 http 定义拦截,即带有pattern="/**"
| 归档时间: |
|
| 查看次数: |
9008 次 |
| 最近记录: |