Spring security

I've encountered a problem with my application that use spring security. I have this configuration of http tag in my security config file:

 <http auto-config="true" use-expressions="true" path-type="regex">
     <intercept-url pattern="A/hero.jsp/$?chooseHero=Z" access="hasRole('ROLE_HERO')" />
     <intercept-url pattern="/.*" access="permitAll" />
     <logout logout-success-url="/" />              
 </http>

There is a problem with the first intercept-url - the address is not matched. It basically means that I anybody can access the /hero.jsp/$?chooseHero= section of my application. Am I missing something? When using only:

   <intercept-url pattern="A/hero.jspZ" access="hasRole('ROLE_HERO')" />

everything works just fine.

I have database-based authentication implemented.

Please, could you anybody help me with this issue? Thank you for any hints or ideas.


The first intercept URL must be a valid regex, it is processed by a RegexRequestMatcher. This is an odd regex:

pattern="A/hero.jsp/$?chooseHero=Z"

Why do you need the $ ? Is it meant to be matched literally (it has a special meaning in regular expressions)? I guess so... Also, . and ? have special meanings.

Assuming you want all characters to be matched literally it has to be like this:

pattern="A/hero.jsp/$?chooseHero=Z"

However, if everything is matched literally why do you need a regex at all? You may want to spare yourself the trouble and just use the simpler Ant-style matchers.

链接地址: http://www.djcxy.com/p/61830.html

上一篇: Spring Security自动登录截取

下一篇: 春天安全