Spring安全3:hasRole规则是单独检查还是?
Spring Security 3: hasRole rules are separately checked or?
我的项目中有这个案例:
假设我们用这两行来定义 Spring 安全访问规则:
<intercept-url pattern="/xxx/*" access="isAuthenticated() and (hasRole('roleA') or hasRole('roleB'))" />
<intercept-url pattern="/xxx/yyy*" access="isAuthenticated() and (hasRole('role1') or hasRole('role2'))" />
这两种模式是嵌套的,一个用户可能具有 "roleA" 和 "role1" 或 "roleA" 和 "role2" 等角色的组合。我想要实现的是让用户拥有 "roleC" 并且 "role1" 无法访问 /xxx/yyy*.
所以我的问题是:
当 "roleC" 和 "role1" 的用户想要获得模式 "xxx/yyy222.html" 的访问权限时,是检查访问规则的所有行,还是仅检查第二行?在考虑第二行的访问规则时,我是否可以认为用户可以进入 url "xxx/yyy*" 只有 "roleA" 和 "roleB" 是理所当然的,还是我必须把每行规则的完整规则?
intercept-url按照定义的顺序进行处理,第一个具有与请求路径匹配的模式决定访问权限。
When user with "roleC" and "role1" wants to get access with pattern
"xxx/yyy222.html", will all lines of access rule be checked, or only
the second line is checked?
这与第一行的模式匹配,访问将被拒绝。
When considering the access rules for the second line, can I take it
for granted that user can get into the url "xxx/yyy*" have only
"roleA" and "roleB", or must I put complete rules for each single
lines of rule?
永远不会计算第二行。请务必先指定更具体的模式。
What I want to achieve, is make users have "roleC" and "role1" cannot
access to /xxx/yyy*.
也许你想要这样的东西:
<intercept-url pattern="/xxx/yyy*" access="isAuthenticated() and !(hasRole('roleC') and hasRole('role1'))" />
我的项目中有这个案例:
假设我们用这两行来定义 Spring 安全访问规则:
<intercept-url pattern="/xxx/*" access="isAuthenticated() and (hasRole('roleA') or hasRole('roleB'))" />
<intercept-url pattern="/xxx/yyy*" access="isAuthenticated() and (hasRole('role1') or hasRole('role2'))" />
这两种模式是嵌套的,一个用户可能具有 "roleA" 和 "role1" 或 "roleA" 和 "role2" 等角色的组合。我想要实现的是让用户拥有 "roleC" 并且 "role1" 无法访问 /xxx/yyy*.
所以我的问题是:
当 "roleC" 和 "role1" 的用户想要获得模式 "xxx/yyy222.html" 的访问权限时,是检查访问规则的所有行,还是仅检查第二行?在考虑第二行的访问规则时,我是否可以认为用户可以进入 url "xxx/yyy*" 只有 "roleA" 和 "roleB" 是理所当然的,还是我必须把每行规则的完整规则?
intercept-url按照定义的顺序进行处理,第一个具有与请求路径匹配的模式决定访问权限。
When user with "roleC" and "role1" wants to get access with pattern "xxx/yyy222.html", will all lines of access rule be checked, or only the second line is checked?
这与第一行的模式匹配,访问将被拒绝。
When considering the access rules for the second line, can I take it for granted that user can get into the url "xxx/yyy*" have only "roleA" and "roleB", or must I put complete rules for each single lines of rule?
永远不会计算第二行。请务必先指定更具体的模式。
What I want to achieve, is make users have "roleC" and "role1" cannot access to /xxx/yyy*.
也许你想要这样的东西:
<intercept-url pattern="/xxx/yyy*" access="isAuthenticated() and !(hasRole('roleC') and hasRole('role1'))" />