http安全配置问题基本：IllegalArgument

Question

我似乎无法弄清楚为什么这个配置给出IllegalArgumentException。错误是：

Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration 

的配置是：

<!-- Disable Spring Security for static content --> 
<http pattern="/css/**" security="none"/> 
<http pattern="/js/**" security="none"/> 

<!-- Web app security --> 
<http use-expressions="true" authentication-manager-ref="pvDatabase"> 
    <!-- Insecure endpoints --> 
    <intercept-url pattern="/" access="permitAll"/> 
    <intercept-url pattern="/spring/login" access="permitAll"/> 
    <intercept-url pattern="/spring/loginfail" access="permitAll"/> 
    <intercept-url pattern="/spring/loggedout" access="permitAll"/>  
    <intercept-url pattern="/insecure/**" access="permitAll"/> 

    <!-- Secure endpoints -->    
    <intercept-url pattern="/secure/admin/**" access="hasAnyRole('ADMIN')"/> 
    <intercept-url pattern="/spring/**" access="hasAnyRole('ADMIN', 'USER')"/> 
    <intercept-url pattern="/secure/**" access="hasAnyRole('ADMIN', 'USER')"/>  

    <!-- Authentication Entrypoint is FORM-LOGIN --> 
    <form-login login-page="/spring/login" 
     login-processing-url="/spring/login" 
     authentication-failure-url="/spring/loginfail" 
     default-target-url="/spring/loginsuccess" 
     always-use-default-target="true" /> 
    <logout logout-url="/spring/logout" logout-success-url="/spring/loggedout" delete-cookies="JSESSIONID" invalidate-session="true"/> 
    <csrf/> 

    <!-- HTTP 403 Access denied custom handling --> 
    <access-denied-handler ref="pvAccessDeniedHandler"/> 
</http> 

<!-- Web services security : this section generates an error --> 
<http use-expressions="true" create-session="stateless" authentication-manager-ref="pvDatabase"> 
    <!-- Authentication Entrypoint is HTTP-BASIC --> 
    <http-basic entry-point-ref="PVBasicAuthenticationEntryPoint"/> 

    <!-- secure endpoints : web services --> 
    <intercept-url pattern="/services/api/**" access="hasAnyRole('ADMIN', 'WEBSERVICES')"/> 

    <!-- HTTP 403 Access denied custom handling --> 
    <access-denied-handler ref="pvAccessDeniedHandler"/> 
</http> 

安全工作得很好，如果我删除整个Web服务安全性部分，我要的是能够保护仅的/服务/ api/**与basic-auth模式，此外还限制只有ADMIN和WEBSERVICES角色的用户。

我不知道我明白错误，因为没有其他的url模式定义为通用匹配，我没有/ **映射到任何地方。

我的应用程序由2个Dispatcher servlet组成，第一个映射到/ spring/*，第二个映射到/ services/api/*。 Spring Security筛选器链映射为/ *

Answer 1

此错误是因为http块也按顺序考虑，并且http块的默认模式是/ **。除了最后一个http块之外的所有模式属性，其他块都不会被看到。

将模式添加到第一个http块应该可以解决您的问题。如果模式不起作用，您还可以使用RequestMatcher的自定义实例与request-matcher-ref。