1

我创建了这个简单的 AdminController:

@Controller
@RequestMapping("admin")
public class AdminController {
    @PreAuthorize("hasAuthority('ROLE_ADMIN')")
    @RequestMapping(value = "/", method = RequestMethod.GET)
    public @ResponseBody String welcomeAdmin() {
        return "Spring Security - ROLE_ADMIN";
    }   
    @PreAuthorize("hasAuthority('ROLE_ADMIN')")
    @RequestMapping(value = "/{query}", method = RequestMethod.GET)
    public @ResponseBody String welcomeAdmin(@PathVariable String query) {
        return query;
    }
}

这是security-context.xml

<http auto-config="true">
    <intercept-url pattern="/admin*" access="ROLE_ADMIN"/>
    <logout logout-success-url="/admin" />
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="user" password="password" authorities="ROLE_USER" />
            <user name="admin" password="password" authorities="ROLE_ADMIN" />
        </user-service>
    </authentication-provider>
</authentication-manager>

web.xml中加载:

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring/root-context.xml
        /WEB-INF/spring/appServlet/security-context.xml
    </param-value>
</context-param>
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

没有错误,但是/admin任何人都可以访问资源,为什么资源没有被 Spring 安全过滤?

4

2 回答 2

3

我认为这是因为

<logout logout-success-url="/admin" />

根据该行,一旦用户注销,将显示该 URL。注销页面不安全,因为未经身份验证的用户必须可以访问它。它可能会覆盖第一个条件。

于 2012-07-30T19:57:57.890 回答
1

你用的是什么版本的spring security?

在您需要的security-context.xml中

<global-method-security pre-post-annotations="enabled" >
</global-method-security>

为了使用注释。

你也应该尝试:

<intercept-url pattern="/admin*" access="hasRole('ROLE_ADMIN')"/>
于 2012-07-31T17:57:16.337 回答