开发者

Spring <http> namespace seems to cause all non-role based pages to be allowed

I'm trying to configure spring MVC to not authenticate any pages that have no authentication (enable the use of ROLE_ANONYMOUS as explicitly required for all pages).

But I get this message in the debug logs:

o.s.s.w.a.i.FilterSecurityInterceptor  - Public object - authentication not attempted

The FilterSecurityInterceptor is added by the namespace. And I think I need to setRejectPublicInvocations on开发者_如何学运维 the filter to disable this.

But I don't see any way to do this through the http namespace. Do I have to abandon using the http namespace entirely just to accomplish this?


In my case I basically did this.

and it's working for anon users.

    <http auto-config="true" use-expressions="true">
    <intercept-url pattern="/css/**" filters="none" />
    <intercept-url pattern="/js/**" filters="none" />
    <intercept-url pattern="/img/**" filters="none" />
    <intercept-url pattern="/loginform.*" filters="none" />
    <intercept-url pattern="/topic/addtopic**"
        access="hasAnyRole('USER_ROLE','ADMIN_ROLE','OPER_ROLE')" />
    <intercept-url pattern="/user/**"
        access="hasAnyRole('USER_ROLE','ADMIN_ROLE','OPER_ROLE')" />
    <intercept-url pattern="/admin/**" access="hasRole('ADMIN_ROLE')" />
    <intercept-url pattern="/cadastro.*" filters="none" />
    <form-login login-page="/loginform.html"
        authentication-failure-url="/loginform.html?error=invalido" />
</http>
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜