Я пытаюсь защитить HTML доступ к файлам, которые обслуживаются TOMCAT сервер с помощью пружинного Security (3.0.3) я получил фору от this threadКак защитить статические html-файлы с помощью Spring 3.0.3 Security?
Я не использую MVC: ресурсов теги , как его нет в наличии в этой версии весны.
Вот мои конфигурации
весна-security.xml
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="**/admin.html" access="hasRole('ROLE_ADMIN')/>
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<security:http-basic />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="ved" password="12345" authorities="ROLE_USER" />
<security:user name="admin" password="admin" authorities="ROLE_ADMIN" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
Debug
09:59:39,873 DEBUG FilterChainProxy:175 - Converted URL to lowercase, from: '/app/views/admin.html'; to: '/app/views/admin.html'
09:59:39,874 DEBUG FilterChainProxy:182 - Candidate is: '/app/views/admin.html'; pattern is /**; matched=true
09:59:39,874 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 1 of 11 in additional filter chain; firing Filter: 'org.spring[email protected]1670cc6'
09:59:39,874 DEBUG HttpSessionSecurityContextRepository:165 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: '[email protected]2b6f9e: Authentication: org.springframew[email protected]b92b6f9e: Principal: [email protected]5: Username: ved; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: CC43ECD3050181A4FFAB5B4897D78AEE; Granted Authorities: ROLE_USER'
09:59:39,874 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 2 of 11 in additional filter chain; firing Filter: 'org.[email protected]1e04a35'
09:59:39,874 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 3 of 11 in additional filter chain; firing Filter: 'org.springframework.s[email protected]281902'
09:59:39,875 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 4 of 11 in additional filter chain; firing Filter: 'org.springframework.[email protected]81d783'
09:59:39,875 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 5 of 11 in additional filter chain; firing Filter: 'org.springfram[email protected]6c01b9'
09:59:39,876 DEBUG BasicAuthenticationFilter:131 - Basic Authentication Authorization header found for user 'ved'
09:59:39,876 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 6 of 11 in additional filter chain; firing Filter: 'org.sp[email protected]e5307e'
09:59:39,876 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 7 of 11 in additional filter chain; firing Filter: 'org.springframework.[email protected]d2bb53'
09:59:39,876 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 8 of 11 in additional filter chain; firing Filter: 'org.springfram[email protected]58ff51'
09:59:39,877 DEBUG AnonymousAuthenticationFilter:72 - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframew[email protected]b92b6f9e: Principal: [email protected]: Username: ved; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: CC43ECD3050181A4FFAB5B4897D78AEE; Granted Authorities: ROLE_USER'
09:59:39,877 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 9 of 11 in additional filter chain; firing Filter: 'o[email protected]e22632'
09:59:39,877 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 10 of 11 in additional filter chain; firing Filter: 'org[email protected]139d891'
09:59:39,877 DEBUG FilterChainProxy:350 - /app/views/admin.html at position 11 of 11 in additional filter chain; firing Filter: 'org.springfr[email protected]b92dc2'
09:59:39,878 DEBUG ExpressionBasedFilterInvocationSecurityMetadataSource:173 - Converted URL to lowercase, from: '/app/views/admin.html'; to: '/app/views/admin.html'
09:59:39,878 DEBUG ExpressionBasedFilterInvocationSecurityMetadataSource:200 - Candidate is: '/app/views/admin.html'; pattern is **/admin.html; matched=false
09:59:39,878 DEBUG ExpressionBasedFilterInvocationSecurityMetadataSource:200 - Candidate is: '/app/views/admin.html'; pattern is /**; matched=true
09:59:39,879 DEBUG FilterSecurityInterceptor:191 - Secure object: FilterInvocation: URL: /app/views/admin.html; Attributes: [hasAnyRole('ROLE_USER','ROLE_ADMIN')]
Как мы видим, здесь
09: 59: 39878 Debu G ExpressionBasedFilterInvocationSecurityMetadataSource: 200 - Кандидат: '/app/views/admin.html'; pattern - **/admin.html; соответствует = false
Страница администратора по-прежнему обслуживается ROLE_USER.
Любая помощь в исправлении этого будет оценена по достоинству.
Добавить ведущий '/' ток никогда не совпадают. –
Действительно. Спасибо mate !!!! –