0

I just started to read on Spring Security 3.1 and I would like to know how I can enforce user to authenticate through my login page before accessing any pages on my system. On a tutorial I see the following code

<http use-e xpressions="true">
    <intercept-url pattern="/index.jsp" access="permitAll" />
    <intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')" />
    <intercept-url pattern="/secure/**" access="isAuthenticated()" />
    <intercept-url pattern="/listAccounts.html" access="isAuthenticated()" />
    <intercept-url pattern="/post.html" access="hasAnyRole('supervisor','teller')" />
    <intercept-url pattern="/**" access="denyAll" />
    <form-login />
</http>

From the above configuration I can see that I have to maintain the list of url pattern. Is there a way to simplify this that every user has to login through "/login" before can access any other page ?

EDIT:

I have edited my configuration as below and its working as I expected

<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/loginfailed" access="permitAll" />
    <intercept-url pattern="/logout" access="permitAll" />
    <form-login login-page="/login" default-target-url="/welcome"
        authentication-failure-url="/loginfailed" />
    <logout logout-success-url="/login" />
    <intercept-url pattern="/**" access="isAuthenticated()" />
</http>
4

1 回答 1

3

url 规则按顺序检查,从上到下。第一个匹配的就是使用的那个。

在这个例子中,最后一行

<intercept-url pattern="/**" access="denyAll" />

是“一网打尽”的法则。它适用于与上面的任何规则都不匹配的所有请求(“/**”)。

以目前的形式,它拒绝任何人访问,无论如何。如果您将其更改为

<intercept-url pattern="/**" access="isAuthenticated()" />

相反,除非另有说明,否则它将要求对所有页面进行身份验证,这将导致 Spring Security 将未经身份验证的用户重定向到登录过程。

于 2012-10-15T15:07:04.617 回答