0

我一直在玩 Spring Security 并注意到以下奇怪之处。

当我<http>在我的安全上下文 XML 中指定这样的块时。

<http>
    <http-basic/>

    <port-mappings>
        <port-mapping http="8080" https="8181"/>
    </port-mappings>

    <intercept-url pattern="/url1**" access="ROLE_ROLE1" requires-channel="https"/>
    <intercept-url pattern="/url2**" access="ROLE_ROLE2"/>
    <intercept-url pattern="/url3**" access="ROLE_ROLE3" />
    <!-- <intercept-url pattern="/**" access="ROLE_ADMIN" />
</http>

当我用浏览器点击各种 URL 时,所有 URL 似乎都会触发 HTTP 基本身份验证。

这很好,符合我的预期,但是当我将方法参数添加到 1 个拦截 URL 时,如下所示:

<http>
    <http-basic/>

    <port-mappings>
        <port-mapping http="8080" https="8181"/>
    </port-mappings>

    <intercept-url pattern="/url1**" access="ROLE_ROLE1" requires-channel="https"/>
    <intercept-url pattern="/url2**" access="ROLE_ROLE2" method="GET"/>
    <intercept-url pattern="/url3**" access="ROLE_ROLE3" />
    <!-- <intercept-url pattern="/**" access="ROLE_ADMIN" />
</http>

/url2除了我明确将方法设置为 ( )的 URL 之外,所有 URL 的基本身份验证均已关闭。

这是它应该如何工作的,因为它对我来说似乎有点愚蠢。这是一个错误吗?

4

1 回答 1

2

现在我已经用 https 测试了 url1并且它可以工作。我被重定向,然后出现登录对话框。
将日志记录级别设置为 DEBUG 它会打印: 

DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:196 - Converted URL to lowercase, from: '/url1/'; to: '/url1/'  
DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:224 - Candidate is: '/url1/'; pattern is /url2**; matched=false  
DEBUG DefaultFilterInvocationDefinitionSource,http-8443-1:224 - Candidate is: '/url1/'; pattern is /url1**; matched=true  
DEBUG AbstractSecurityInterceptor,http-8443-1:250 - Secure object: FilterInvocation: URL: /url1/; ConfigAttributes: [ROLE_USER]
DEBUG XmlWebApplicationContext,http-8443-1:244 - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@17af46e]: org.springframework.security.event.authorization.AuthenticationCredentialsNotFoundEvent[source=FilterInvocation: URL: /url1/]
DEBUG ExceptionTranslationFilter,http-8443-1:150 - Authentication exception occurred; redirecting to authentication entry point

这是配置:

<http>
  <http-basic/>
  <port-mappings>
     <port-mapping http="8080" https="8443"/>
  </port-mappings>
  <intercept-url pattern="/url1**" access="ROLE_USER" requires-channel="https"/>
  <intercept-url pattern="/url2**" access="ROLE_TELLER" method="GET"/>
  <intercept-url pattern="/url3**" access="ROLE_SUPERVISOR" />      
</http>
于 2009-09-03T21:28:49.477 回答