帶彈簧的網絡應用和休息服務的安全

Question

首先，讓我感謝你在這個網站給予的巨大幫助！

那麼，我會馬上指出一點：我是春天的新手，我用appfuse創建了一個新的web應用程序。最初的想法是創建一個帶前端的簡單平臺，然後從外部客戶端調用其餘服務。

問題是我無法定義一個security.xml文件，其中（頁面和其他服務）可以使用不同的身份驗證方法。

我的想法是基於網址參數的服務網頁和認證登錄表單，但我得到的唯一的事情是個例外：

A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored"

我已分別嘗試過它們中的每一個，但是當我把它們收集在同一個文件中時，例外情況就會升高。

<http pattern="/images/**" security="none"/> 
    <http pattern="/styles*/**" security="none"/> 
    <http pattern="/scripts*/**" security="none"/> 
    <http pattern="/assets*/**" security="none"/> 
    <http entry-point-ref="restAuthenticationEntryPoint"> 
     <intercept-url pattern="/services/**" access="ROLE_ADMIN,ROLE_ADMIN,ROLE_USER"/> 
     <custom-filter ref="myFilter" position="FORM_LOGIN_FILTER"/> 
     <logout /> 
    </http> 
    <beans:bean id="myFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> 
     <beans:property name="authenticationManager" ref="authenticationManager"/> 
     <beans:property name="authenticationSuccessHandler" ref="mySuccessHandler"/> 
    </beans:bean> 
    <beans:bean id="mySuccessHandler" class="org.bringer.webapp.authentication.MyAuthSuccessHandler"/>  
    <http auto-config="true" access-denied-page="/accessdenied"> 
     <intercept-url pattern="/login*/**" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/> 
     <intercept-url pattern="/admin/*" access="ROLE_ADMIN"/> 
     <intercept-url pattern="/passwordhint*/**" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/> 
     <intercept-url pattern="/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/> 
     <intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER"/> 
     <form-login login-page="/login" 
        default-target-url="/home" 
        always-use-default-target="true" 
        authentication-failure-url="/login/error" 
        login-processing-url="/j_security_check"/>      
     <remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/> 
    </http> 
    <authentication-manager alias="authenticationManager"> 
     <authentication-provider user-service-ref="userDao"> 
      <password-encoder ref="passwordEncoder"> 
       <salt-source ref="saltSource"/> 
      </password-encoder> 
     </authentication-provider> 
    </authentication-manager> 
    <beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource" 
     p:userPropertyToUse="username"/> 
    <global-method-security> 
     <protect-pointcut expression="execution(* *..service.UserManager.getUsers(..))" access="ROLE_ADMIN"/> 
     <protect-pointcut expression="execution(* *..service.UserManager.removeUser(..))" access="ROLE_ADMIN"/> 
    </global-method-security> 

即使我已經刪除了「/ **」模式，但除了例外，我什麼也沒有得到。

可能有人指着我正確的方向嗎？任何幫助將不勝感激。

Answer 1

解決！

這是幫我解決這個問題

<http pattern="/services/**" create-session="stateless"> 
     <intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER" /> 
     <http-basic /> 
    </http> 
    <http pattern="/login*/**" security="none"/>  
    <http auto-config="true" access-denied-page="/accessdenied">  
     <intercept-url pattern="/admin/*" access="ROLE_ADMIN"/> 
     <intercept-url pattern="/passwordhint*/**" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/> 
     <intercept-url pattern="/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/> 
     <intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER"/> 
     <form-login login-page="/login" 
        default-target-url="/home" 
        always-use-default-target="true" 
        authentication-failure-url="/login/error" 
        login-processing-url="/j_security_check"/>      
     <remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/> 
    </http>