Spring <http> namespace seems to cause all non-role based pages to be allowed
I'm trying to configure spring MVC to not authenticate any pages that have no authentication (enable the use of ROLE_ANONYMOUS
as explicitly required for all pages).
But I get this message in the debug logs:
o.s.s.w.a.i.FilterSecurityInterceptor - Public object - authentication not attempted
The FilterSecurityInterceptor
is added by the namespace. And I think I need to setRejectPublicInvocations
on开发者_如何学运维 the filter to disable this.
But I don't see any way to do this through the http namespace. Do I have to abandon using the http namespace entirely just to accomplish this?
In my case I basically did this.
and it's working for anon users.
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/img/**" filters="none" />
<intercept-url pattern="/loginform.*" filters="none" />
<intercept-url pattern="/topic/addtopic**"
access="hasAnyRole('USER_ROLE','ADMIN_ROLE','OPER_ROLE')" />
<intercept-url pattern="/user/**"
access="hasAnyRole('USER_ROLE','ADMIN_ROLE','OPER_ROLE')" />
<intercept-url pattern="/admin/**" access="hasRole('ADMIN_ROLE')" />
<intercept-url pattern="/cadastro.*" filters="none" />
<form-login login-page="/loginform.html"
authentication-failure-url="/loginform.html?error=invalido" />
</http>
精彩评论