Spring Security Primer (1-9) Spring Security-block URLs

Intercept-url Configuration

• Specifying blocked URLs through the Pattern property

• To specify access permissions for a URL through the Access property

Where the value of access is a string, which can be either a definition of a permission or an expression.

<security:http use-expressions= "true" >

<security:form-login/>
<security:logout/>
<security:intercept-url pattern= "/secure/**" access= "Role_user,role_admin"/>
</security:http>

<security:http use-expressions= "true" >
<security:form-login/>
<security:logout/>
<security:intercept-url pattern= "/secure/**" access= "hasanyrole (' Role_user ', ' role_admin ')"/>
</security:http>

Common types have simple role name definitions, with multiple names separated by commas, such as:

In the above configuration, all URL requests under the secure path should have Role_user or role_admin permissions. When the value of Access starts with "Role_", it is referred to rolevoter for processing.

In addition, it can be an expression, and the above configuration should look like this if you use an expression to represent it.

Either use the Hasrole () expression, and then connect with or in between, such as:

   <security:intercept-url pattern="/secure/**" access="hasRole(‘ROLE_USER‘) or hasRole(‘ROLE_ADMIN‘)"/>

Note that you need to specify the HTTP element's use-expressions= "true" when using an expression. More information about using expressions is described later in this article. When the Intercept-url Access property uses an expression, it is processed by default using Webexpressionvoter.

In addition, you can specify three more special property values, which are handled by default using Authenticatedvoter. is_authenticated_anonymously means that the user does not need to log on to access, is_authenticated_remembered that the user needs to be automatically logged in through the Remember-me function to access; Is_ Authenticated_fully indicates that the user's authentication type should be in addition to the previous two, that is, the user needs to be logged in through the portal authentication to access. If we usually set the login address to is_authenticated_anonymously.

   <security:http>      <security:form-login login-page="/login.jsp"/>      <!-- 登录页面可以匿名访问 -->      <security:intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>      <security:intercept-url pattern="/**" access="ROLE_USER"/>   </security:http>

Specify the Access Protocol

Requirements can be specified by specifying the Requires-channel property of the Intercept-url. The Requires-channel supports three values: HTTP, HTTPS, and any. Any means that both HTTP and HTTPS can be accessed.

   <security:http auto-config="true">      <security:form-login/>      <!-- 只能通过 https 访问 -->      <security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" requires-channel="https"/>      <!-- 只能通过 http 访问 -->      <security:intercept-url pattern="/**" access="ROLE_USER" requires-channel="http"/>   </security:http>

It is important to note that when attempting to use HTTP requests to restrict resources that can only be accessed over HTTPS, it automatically jumps to the corresponding HTTPS channel re-request. If the HTTP or HTTPS protocol you are using is not listening on a standard port (HTTP defaults to 80,https by default is 443), then we need to define their correspondence through the port-mapping element.

   <security:http auto-config="true">      <security:form-login/>      <!-- 只能通过 https 访问 -->      <security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" requires-channel="https"/>      <!-- 只能通过 http 访问 -->      <security:intercept-url pattern="/**" access="ROLE_USER" requires-channel="http"/>      <security:port-mappings>         <security:port-mapping http="8899" https="9988"/>      </security:port-mappings>   </security:http>

Specify the Request method

Usually we ask that some URLs only go through a POST request, and some URLs can only be requested via GET. These restrictions Spring Security has also been implemented for us, by specifying the Intercept-url method property can limit the current Intercept-url applicable request method, the default is all the way can.

 <security:http auto-config="true">      <security:form-login/>      <!-- 只能通过 POST 访问 -->      <security:intercept-url pattern="/post/**" method="POST"/>      <!-- 只能通过 GET 访问 -->      <security:intercept-url pattern="/**" access="ROLE_USER" method="GET"/>   </security:http>

The optional values for method are get, POST, DELETE, PUT, HEAD, OPTIONS, and TRACE.

Spring Security Primer (1-9) Spring Security-block URLs