Spring-security cannot match “?parameter” format?

五迷三道 提交于 2019-11-28 03:54:31

问题


I use spring-security to secure my web, when I'm learning it by spring-roo generated config file in applicationContext-security.xml, in <http> node:

 <intercept-url pattern="/userses?form" access="hasRole('ROLE_ADMIN')" />

It means when you want to create a Users object, firstly you need to login to get ADMIN permission. But actually it didn't work. Check the log:

2012-05-06 11:39:11,250 [http-8088-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/userses'; against '/userses?form'

The framework use the /userses instead of /userses?form to compare with, authentication process skipped as string didn't match. To verify this I also try another url:

<intercept-url pattern="/userses/abc" access="hasRole('ROLE_ADMIN')" />

I requested the /userses/abc, it detected user is not authorized, and moved to /login page, checked the log:

2012-05-06 11:46:44,343 [http-8088-7] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/uesrses/abc'; against '/userses/abc'

So my question is: Doesn't spring-secure 3 support "?parameter" pattern or I missed something to config to support this? PS: All the code is generated by roo without modification, also wonder why it doesn't work.


回答1:


By default spring security uses ant style matching, which can't match on parameters. Regex matching, however, can match on parameters

Try defining it like so:

<http request-matcher="regex">
  <security:intercept-url pattern="\A/userses\?form.*\Z" access="hasRole('ROLE_ADMIN')" />
</http>

Don't know why Roo doesn't do this automatically. Seems like it should.




回答2:


That behavior is defined by the "request-matcher" in use. As indicated by the documentation, the default is "ant", which indicates to use an AntPathRequestMatcher, and an alternative is "regex", the RegexRequestMatcher. The javadocs (linked) give specifics about the matchers, including the fact that the former matches against a request's "servletPath + pathInfo", and the latter against its "servletPath + pathInfo + queryString".



来源:https://stackoverflow.com/questions/10467930/spring-security-cannot-match-parameter-format

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!