我想配置弹簧安全性,以便将一个特定资源锁定到一个组,其余资源可供任何登录用户使用。我的 security.xml 看起来像这样
<http auto-config="true" create-session="stateless" use-expressions="true">
<intercept-url pattern="/server/**" access="hasRole('ROLE_DEV-USER')" method="POST" requires-channel="https"/>
<intercept-url pattern="/**" access="isFullyAuthenticated()" method="POST" requires-channel="https"/>
<intercept-url pattern="/**" access="isFullyAuthenticated()" method="PUT" requires-channel="https"/>
<intercept-url pattern="/**" access="isFullyAuthenticated()" method="DELETE" requires-channel="https"/>
<intercept-url pattern="/**" access="permitAll" method="GET" requires-channel="any"/>
<intercept-url pattern="/**" access="permitAll" method="HEAD" requires-channel="any"/>
<http-basic />
<logout />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_NOT-DEV-USER" />
<user name="admin2" password="admin2" authorities="ROLE_DEV-USER" />
</user-service>
</authentication-provider>
</authentication-manager>
我希望唯一的管理员能够发布到服务器/启用和服务器/禁用。我实际看到的是 admin 和 admin2 都可以 POST 到服务器/启用资源。好像 /server/** 被忽略了,下一个更通用的拦截 URL 正在取而代之。启动日志显示正在加载的所有行
2013-08-21 15:07:42,124 INFO FilterInvocationSecurityMetadataSourceParser:134 - Creating access control expression attribute 'hasRole('ROLE_DEV-USER')' for /server/**
2013-08-21 15:07:42,125 INFO FilterInvocationSecurityMetadataSourceParser:134 - Creating access control expression attribute 'isFullyAuthenticated()' for /**
2013-08-21 15:07:42,125 INFO FilterInvocationSecurityMetadataSourceParser:134 - Creating access control expression attribute 'isFullyAuthenticated()' for /**
2013-08-21 15:07:42,126 INFO FilterInvocationSecurityMetadataSourceParser:134 - Creating access control expression attribute 'isFullyAuthenticated()' for /**
2013-08-21 15:07:42,126 INFO FilterInvocationSecurityMetadataSourceParser:134 - Creating access control expression attribute 'permitAll' for /**
2013-08-21 15:07:42,127 INFO FilterInvocationSecurityMetadataSourceParser:134 - Creating access control expression attribute 'permitAll' for /**
目前使用spring v3.1.2