spring security 配置 intercept-url 时需要注意的几个问题

Spring Security 正则表达

Posted on  March 8, 2012  by  kevin

By default, after you’ve added Spring Security to your Roo app with ‘security setup’, you get an example config in a applicationContext-security.xml file like this:

    <http auto-config="true" use-expressions="true">
        <form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t"/>
        <logout logout-url="/resources/j_spring_security_logout"/>

        <!-- Configure these elements to secure URIs in your application -->
        <intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')"/>
        <intercept-url pattern="/member/**" access="isAuthenticated()" />
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/**" access="permitAll" />
    </http>

The default pattern matching approach is to use Ant style path matching. If you need to be more specific for what URLs you need to define security against, then you can change to use regex style pattern matching by adding this attribute to the <http> element:

<http ... path-type="regex" ... >

Now, let’s say you need to have different roles for creating verses listing member records – Spring Roo uses a couple of GET parameters to distinguish between these actions, so using regex you can match on these like this:

        <intercept-url pattern="/member?form" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/member?page.*" access="hasRole('ROLE_USER')" />

- See more at: http://www.kevinhooke.com/2012/03/08/configuring-spring-security-for-finer-grained-url-pattern-matching-with-a-spring-roo-app/#sthash.Y7x8MpVv.dpuf

Spring Security 顺序问题

http://www.fengfly.com/document/springsecurity3/core-web-filters.html

<bean id="filterInvocationInterceptor"
     class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
  <property name="authenticationManager" ref="authenticationManager"/>
  <property name="accessDecisionManager" ref="accessDecisionManager"/>
  <property name="runAsManager" ref="runAsManager"/>
  <property name="securityMetadataSource">
    <security:filter-security-metadata-source path-type="regex">
      <security:intercept-url pattern="\A/secure/super/.*\Z" access="ROLE_WE_DONT_HAVE"/>
      <security:intercept-url pattern="\A/secure/.*\" access="ROLE_SUPERVISOR,ROLE_TELLER"/>
    </security:filter-security-metadata-source>
  </property>
</bean>        

模式总是根据他们定义的顺序进行执行。因此很重要的是，把更确定的模式定义到列表的上面。 这会反映在你上面的例子中，更确定的/secure/super/模式放在，没那么确定的 /secure/模式的上面。如果它们被反转了。/secure/会一直 被匹配，/secure/super/就永远也不会执行。

多参数问题

<intercept-url pattern="/player/\?movie=warring-state.*" access="permitAll" />    

可以匹配 /video/edit?t=testtitle1&v=12   或者  /video/edit?t=testtitle1