0
我似乎无法弄清楚为什么这个配置给出IllegalArgumentException。错误是:http安全配置问题基本:IllegalArgument
Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration
的配置是:
<!-- Disable Spring Security for static content -->
<http pattern="/css/**" security="none"/>
<http pattern="/js/**" security="none"/>
<!-- Web app security -->
<http use-expressions="true" authentication-manager-ref="pvDatabase">
<!-- Insecure endpoints -->
<intercept-url pattern="/" access="permitAll"/>
<intercept-url pattern="/spring/login" access="permitAll"/>
<intercept-url pattern="/spring/loginfail" access="permitAll"/>
<intercept-url pattern="/spring/loggedout" access="permitAll"/>
<intercept-url pattern="/insecure/**" access="permitAll"/>
<!-- Secure endpoints -->
<intercept-url pattern="/secure/admin/**" access="hasAnyRole('ADMIN')"/>
<intercept-url pattern="/spring/**" access="hasAnyRole('ADMIN', 'USER')"/>
<intercept-url pattern="/secure/**" access="hasAnyRole('ADMIN', 'USER')"/>
<!-- Authentication Entrypoint is FORM-LOGIN -->
<form-login login-page="/spring/login"
login-processing-url="/spring/login"
authentication-failure-url="/spring/loginfail"
default-target-url="/spring/loginsuccess"
always-use-default-target="true" />
<logout logout-url="/spring/logout" logout-success-url="/spring/loggedout" delete-cookies="JSESSIONID" invalidate-session="true"/>
<csrf/>
<!-- HTTP 403 Access denied custom handling -->
<access-denied-handler ref="pvAccessDeniedHandler"/>
</http>
<!-- Web services security : this section generates an error -->
<http use-expressions="true" create-session="stateless" authentication-manager-ref="pvDatabase">
<!-- Authentication Entrypoint is HTTP-BASIC -->
<http-basic entry-point-ref="PVBasicAuthenticationEntryPoint"/>
<!-- secure endpoints : web services -->
<intercept-url pattern="/services/api/**" access="hasAnyRole('ADMIN', 'WEBSERVICES')"/>
<!-- HTTP 403 Access denied custom handling -->
<access-denied-handler ref="pvAccessDeniedHandler"/>
</http>
安全工作得很好,如果我删除整个Web服务安全性部分,我要的是能够保护仅的/服务/ api/**与basic-auth模式,此外还限制只有ADMIN和WEBSERVICES角色的用户。
我不知道我明白错误,因为没有其他的url模式定义为通用匹配,我没有/ **映射到任何地方。
我的应用程序由2个Dispatcher servlet组成,第一个映射到/ spring/*,第二个映射到/ services/api/*。 Spring Security筛选器链映射为/ *
谢谢,工作! – SBKDeveloper