У меня 2 проблемы с пружиной my spring-security.xml
Когда у меня более одной роли в access="ROLE_ADMIN,ROLE_EMPLOYEE" Я получаю исключение: Caused by: java.lang.IllegalArgumentException: Failed to parse expression 'ROLE_ADMIN,ROLE_EMPLOYEE' Но если у меня одна роль: access="ROLE_ADMIN", она будет отлично работать
access="ROLE_ADMIN,ROLE_EMPLOYEE"
Caused by: java.lang.IllegalArgumentException: Failed to parse expression 'ROLE_ADMIN,ROLE_EMPLOYEE'
access="ROLE_ADMIN"
Если я попаду прямо на /Management/main/admin, меня не будет перенаправлять правило: security:form-login login-page="/Management/auth/login/", то есть я могу войти в приложение без роли администратора.
/Management/main/admin
security:form-login login-page="/Management/auth/login/"
это мой spring-security.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:lang="http://www.springframework.org/schema/lang" xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <sec:global-method-security secured-annotations="enabled" jsr250-annotations="enabled" /> <sec:http auto-config="true" use-expressions="true" access-denied-page="/Management/auth/denied"> <sec:intercept-url pattern="/Management/auth/login" filters="none" access="permitAll"/> <sec:intercept-url pattern="/Management/main/admin" filters="none" access="ROLE_ADMIN,ROLE_EMPLOYEE" /> <sec:intercept-url pattern="/Management/api/affiliates/**" filters="none" access="ROLE_ADMIN,ROLE_EMPLOYEE" /> <sec:form-login login-page="/Management/auth/login/" authentication-success-handler-ref="loginAuthenticationSuccessHandler" authentication-failure-url="/Management/auth/login?error=true" login-processing-url="/Management/auth/j_spring_security_check" default-target-url="/Management/auth/login?error=false" /> <sec:logout invalidate-session="true" logout-success-url="/Management/auth/login/" logout-url="/Management/auth/logout" /> </sec:http> <sec:authentication-manager> <sec:authentication-provider user-service-ref="customUserDetailsService"> <sec:password-encoder ref="passwordEncoder" /> </sec:authentication-provider> </sec:authentication-manager> <bean id="loginAuthenticationSuccessHandler" class="com.affiliates.server.security.LoginAuthenticationSuccessHandler"> <property name="defaultTargetUrl" value="/Management/auth/login?error=false"/> </bean> <bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder" /> <bean id="customUserDetailsService" class="com.affiliates.service.CustomUserDetailsService" /> </beans>
это мой web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/spring-security.xml /WEB-INF/applicationContext.xml </param-value> </context-param> <context-param> <param-name>log4jConfigLocation</param-name> <param-value>/WEB-INF/classes/log4j-myapp.properties</param-value> </context-param> <servlet> <servlet-name>spring</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>spring</servlet-name> <url-pattern>/Management/*</url-pattern> </servlet-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> </web-app>
Вы используете use-expressionions = true
Вы должны использовать SpEL в вашем URL-адресе перехвата, как показано ниже:
<security:http auto-config="true" use-expressions="true" access-denied-page="/krams/auth/denied" > <security:intercept-url pattern="/krams/auth/login" access="permitAll"/> <security:intercept-url pattern="/krams/main/admin" access="hasRole('ROLE_ADMIN')"/> <security:intercept-url pattern="/krams/main/common" access="hasRole('ROLE_USER')"/> .... </security:http>
Чтобы увидеть это в действии, посетите следующий учебник: http://krams915.blogspot.com/2010/12/spring-security-3-mvc-using-simple-user.html
Вы также можете посмотреть некоторую информацию о нативных выражениях: http://krams915.blogspot.com/2010/12/spring-security-3-mvc-using-native.html