網頁

2018/3/15

Spring Security 錯誤 A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration

錯誤原因是你可能配置多個<http>,但配置順序錯誤。

簡單來說就是pattern越精確(more specific)的路徑(例如/api/product/)的<http>應該被安排在配置文件中較前面的位置,而pattern涵蓋範圍越大(less specific)的<http>(例如/**)應該安排在配置文件中較後面的位置,如果順序相反就會發生以上錯誤。

例如下面配置了三個<http>,由上而下分別為

  1. /api/product/的驗證
  2. 忽略登入頁面login.jsp的驗證
  3. /**的驗證

所以pattern的範圍必須是從小而大,根據官方文件的說明<http>會依照宣告順序加入FilterChainProxy的filter chain

...The elements will be added in the order they are declared, so the most specific patterns must again be declared first....
<!-- Stateless RESTful service using Basic authentication -->
<http pattern="/api/**" create-session="stateless">
<intercept-url pattern='/**' access="hasRole('REMOTE')" />
<http-basic />
</http>

<!-- Empty filter chain for the login page -->
<http pattern="/login.jsp" security="none"/>

<!-- Additional filter chain for normal users, matching all other requests -->
<http>
<intercept-url pattern='/**' access="hasRole('USER')" />
<form-login login-page='/login.jsp' default-target-url="/home.jsp"/>
<logout />
</http>

參考:

沒有留言:

張貼留言