开发者

Spring security wont redirect on intercept-url

问答 作者:

I have 2 problems with spring my spring-security.xml

  1. When I have more than one role in access="ROLE_ADMIN,ROLE_EMPLOYEE"

    I get the exception: Caused by: java.lang.IllegalArgumentException: Failed to parse expression 'ROLE_ADMIN,ROLE_EMPLOYEE'

    But if I have one role: access="ROLE_ADMIN" it will work fine

  2. If I land directly on /Management/main/admin I wont be redirected by the rule: security:form-login login-page="/Management/auth/login/", meaning I can enter the application without role admin.

this is my spring-security.xml

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:lang="http://www.springframework.org/schema/lang"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:sec="http://www.springframework.org/schema/security" 
       xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context-3.0.xsd
        http://www.springframework.org/schema/tx 
        http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <sec:global-method-security secured-annotations="enabled"  jsr250-annotations="enabled" />
    <sec:http auto-config="true" use-expressions="true"
        access-denied-page="/Management/auth/denied">

        <sec:intercept-url pattern="/Management/auth/login" filters="none" access="permitAll"/>
        <sec:intercept-url pattern="/Management/main/admin" filters="none" access="ROLE_ADMIN,ROLE_EMPLOYEE" />
        <sec:intercept-url pattern="/Management/api/affiliates/**" filters="none" access="ROLE开发者_高级运维_ADMIN,ROLE_EMPLOYEE" />

        <sec:form-login  login-page="/Management/auth/login/"
             authentication-success-handler-ref="loginAuthenticationSuccessHandler"
            authentication-failure-url="/Management/auth/login?error=true"
            login-processing-url="/Management/auth/j_spring_security_check"
            default-target-url="/Management/auth/login?error=false" />
        <sec:logout invalidate-session="true"
            logout-success-url="/Management/auth/login/" logout-url="/Management/auth/logout" />
    </sec:http>

    <sec:authentication-manager>
        <sec:authentication-provider
            user-service-ref="customUserDetailsService">
            <sec:password-encoder ref="passwordEncoder" />
        </sec:authentication-provider>
    </sec:authentication-manager>
    <bean id="loginAuthenticationSuccessHandler" class="com.affiliates.server.security.LoginAuthenticationSuccessHandler">
        <property name="defaultTargetUrl" value="/Management/auth/login?error=false"/>
    </bean>


    <bean
        class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
        id="passwordEncoder" />
    <bean id="customUserDetailsService" class="com.affiliates.service.CustomUserDetailsService" />
</beans>

this is my web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
    xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
        /WEB-INF/spring-security.xml
        /WEB-INF/applicationContext.xml
        </param-value>
    </context-param>
    <context-param>
        <param-name>log4jConfigLocation</param-name>
        <param-value>/WEB-INF/classes/log4j-myapp.properties</param-value>
    </context-param>
    <servlet>
        <servlet-name>spring</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>spring</servlet-name>
        <url-pattern>/Management/*</url-pattern>
    </servlet-mapping>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
</web-app>

You're using use-expressions=true

You have to use SpEL in your intercept-url like the following:

 <security:http auto-config="true" use-expressions="true" access-denied-page="/krams/auth/denied" >

  <security:intercept-url pattern="/krams/auth/login" access="permitAll"/>
  <security:intercept-url pattern="/krams/main/admin" access="hasRole('ROLE_ADMIN')"/>
  <security:intercept-url pattern="/krams/main/common" access="hasRole('ROLE_USER')"/>

  ....
 </security:http>

To see this in action, visit the following tutorial: http://krams915.blogspot.com/2010/12/spring-security-3-mvc-using-simple-user.html

You might wanna look as well some info about native expressions: http://krams915.blogspot.com/2010/12/spring-security-3-mvc-using-native.html

继续阅读:authenticationspring-security

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9