Spring security
I've encountered a problem with my application that use spring security. I have this configuration of http tag in my security config file:
<http auto-config="true" use-expressions="true" path-type="regex">
<intercept-url pattern="A/hero.jsp/$?chooseHero=Z" access="hasRole('ROLE_HERO')" />
<intercept-url pattern="/.*" access="permitAll" />
<logout logout-success-url="/" />
</http>
There is a problem with the first intercept-url - the address is not matched. It basically means that I anybody can access the /hero.jsp/$?chooseHero= section of my application. Am I missing something? When using only:
<intercept-url pattern="A/hero.jspZ" access="hasRole('ROLE_HERO')" />
everything works just fine.
I have database-based authentication implemented.
Please, could you anybody help me with this issue? Thank you for any hints or ideas.
The first intercept URL must be a valid regex, it is processed by a RegexRequestMatcher. This is an odd regex:
pattern="A/hero.jsp/$?chooseHero=Z"
Why do you need the $
? Is it meant to be matched literally (it has a special meaning in regular expressions)? I guess so... Also, .
and ?
have special meanings.
Assuming you want all characters to be matched literally it has to be like this:
pattern="A/hero.jsp/$?chooseHero=Z"
However, if everything is matched literally why do you need a regex at all? You may want to spare yourself the trouble and just use the simpler Ant-style matchers.
链接地址: http://www.djcxy.com/p/61830.html下一篇: 春天安全