我创建了这个简单的 AdminController:
@Controller
@RequestMapping("admin")
public class AdminController {
@PreAuthorize("hasAuthority('ROLE_ADMIN')")
@RequestMapping(value = "/", method = RequestMethod.GET)
public @ResponseBody String welcomeAdmin() {
return "Spring Security - ROLE_ADMIN";
}
@PreAuthorize("hasAuthority('ROLE_ADMIN')")
@RequestMapping(value = "/{query}", method = RequestMethod.GET)
public @ResponseBody String welcomeAdmin(@PathVariable String query) {
return query;
}
}
这是security-context.xml:
<http auto-config="true">
<intercept-url pattern="/admin*" access="ROLE_ADMIN"/>
<logout logout-success-url="/admin" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="password" authorities="ROLE_USER" />
<user name="admin" password="password" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
在 web.xml 中加载:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/root-context.xml
/WEB-INF/spring/appServlet/security-context.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
没有错误,但是/admin资源是任何人都可以访问的,为什么这个资源没有被Spring安全过滤?
最佳答案
我觉得是因为
<logout logout-success-url="/admin" />
根据该行,一旦用户注销,就会显示该 URL。注销页面不安全,因为未经身份验证的用户必须可以访问它。它可能会覆盖第一个条件。
关于java - 资源未被 Spring 安全性过滤,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/11728575/