春季安全不會對攔截的URL

重定向我有2個問題，我的春春-security.xml文件春季安全不會對攔截的URL

當我在access="ROLE_ADMIN,ROLE_EMPLOYEE"
不止一個角色我得到異常： Caused by: java.lang.IllegalArgumentException: Failed to parse expression 'ROLE_ADMIN,ROLE_EMPLOYEE'
但是，如果我有一個角色：access="ROLE_ADMIN"它會正常工作
如果我直接降落在/Management/main/admin我不會規則將重定向：security:form-login login-page="/Management/auth/login/"，這意味着我可以耳鼻喉科呃沒有角色管理的應用程序。

這是我的彈簧security.xml文件

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xmlns:lang="http://www.springframework.org/schema/lang" 
     xmlns:context="http://www.springframework.org/schema/context" 
     xmlns:tx="http://www.springframework.org/schema/tx" 
     xmlns:sec="http://www.springframework.org/schema/security" 
     xsi:schemaLocation="http://www.springframework.org/schema/beans 
     http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
     http://www.springframework.org/schema/context 
     http://www.springframework.org/schema/context/spring-context-3.0.xsd 
     http://www.springframework.org/schema/tx 
     http://www.springframework.org/schema/tx/spring-tx-3.0.xsd 
     http://www.springframework.org/schema/security 
     http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 

    <sec:global-method-security secured-annotations="enabled" jsr250-annotations="enabled" /> 
    <sec:http auto-config="true" use-expressions="true" 
     access-denied-page="/Management/auth/denied"> 

     <sec:intercept-url pattern="/Management/auth/login" filters="none" access="permitAll"/> 
     <sec:intercept-url pattern="/Management/main/admin" filters="none" access="ROLE_ADMIN,ROLE_EMPLOYEE" /> 
     <sec:intercept-url pattern="/Management/api/affiliates/**" filters="none" access="ROLE_ADMIN,ROLE_EMPLOYEE" /> 

     <sec:form-login login-page="/Management/auth/login/" 
      authentication-success-handler-ref="loginAuthenticationSuccessHandler" 
      authentication-failure-url="/Management/auth/login?error=true" 
      login-processing-url="/Management/auth/j_spring_security_check" 
      default-target-url="/Management/auth/login?error=false" /> 
     <sec:logout invalidate-session="true" 
      logout-success-url="/Management/auth/login/" logout-url="/Management/auth/logout" /> 
    </sec:http> 

    <sec:authentication-manager> 
     <sec:authentication-provider 
      user-service-ref="customUserDetailsService"> 
      <sec:password-encoder ref="passwordEncoder" /> 
     </sec:authentication-provider> 
    </sec:authentication-manager> 
    <bean id="loginAuthenticationSuccessHandler" class="com.affiliates.server.security.LoginAuthenticationSuccessHandler"> 
     <property name="defaultTargetUrl" value="/Management/auth/login?error=false"/> 
    </bean> 


    <bean 
     class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" 
     id="passwordEncoder" /> 
    <bean id="customUserDetailsService" class="com.affiliates.service.CustomUserDetailsService" /> 
</beans>

這是我的web.xml

<?xml version="1.0" encoding="UTF-8"?> 
<web-app id="WebApp_ID" version="2.4" 
    xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> 
    <filter> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
    </filter> 
    <filter-mapping> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 
    <context-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value> 
     /WEB-INF/spring-security.xml 
     /WEB-INF/applicationContext.xml 
     </param-value> 
    </context-param> 
    <context-param> 
     <param-name>log4jConfigLocation</param-name> 
     <param-value>/WEB-INF/classes/log4j-myapp.properties</param-value> 
    </context-param> 
    <servlet> 
     <servlet-name>spring</servlet-name> 
     <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
     <load-on-startup>1</load-on-startup> 
    </servlet> 
    <servlet-mapping> 
     <servlet-name>spring</servlet-name> 
     <url-pattern>/Management/*</url-pattern> 
    </servlet-mapping> 
    <listener> 
     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
    </listener> 
</web-app>

來源

2011-03-10 fatnjazzy

你有springSecurityFilterChain過濾網址映射到你的web.xml吧？ – CoolBeans 2011-03-10 05:03:38

我已將我的web.xml添加到帖子 – fatnjazzy 2011-03-10 05:07:31

您使用使用表達式=真

你必須在攔截中使用SpEL RL像下面這樣：

<security:http auto-config="true" use-expressions="true" access-denied-page="/krams/auth/denied" > 

    <security:intercept-url pattern="/krams/auth/login" access="permitAll"/> 
    <security:intercept-url pattern="/krams/main/admin" access="hasRole('ROLE_ADMIN')"/> 
    <security:intercept-url pattern="/krams/main/common" access="hasRole('ROLE_USER')"/> 

    .... 
</security:http>

要看到這個動作，請訪問下面的教程：http://krams915.blogspot.com/2010/12/spring-security-3-mvc-using-simple-user.html

你可能想看看，以及對本土表達一些信息：http://krams915.blogspot.com/2010/12/spring-security-3-mvc-using-native.html

來源

2011-03-10 06:15:44 chris

我已將use-expressions設置爲false。謝謝！ – fatnjazzy 2011-03-10 06:36:57

是使用表達式默認值的真？我在我的xml中沒有使用表達式！它工作感謝 – dzgeek 2015-04-28 20:56:23

春季安全不會對攔截的URL

回答

相關問題