共 (1) 个答案

1. # 1 楼答案

   intercept-url模式按列出的顺序匹配。 一旦找到匹配项，其余指定的模式将被忽略

   这就是为什么您应该在前面列出更具体的模式

   在您的情况下，具体的url模式会在后面出现。所以denyAll首先找到并选择了那个

   尊重秩序

   <!  Give access to everybody for CommonDwr.aCommonMethod.dwr  >
   <intercept-url pattern="/js/dwr/CommonDwr.aCommonMethod.dwr" access="permitAll"/>
   
   <!  give access to SomeDWRClass for ROLE_A  >
   <intercept-url pattern="/js/dwr/**/SomeDWRClass**" access="hasAnyRole('ROLE_A')"/>
   
   <!  Deny every url which is dwr call  >
   <intercept-url pattern="/js/dwr/**/**DWR**" access="denyAll"/>
   

   见Core Security Filters

   但是我不明白原因

   The main reason why we are doing this is if some new person comes and write a new DWR class, by default the permission should be denied, so that they can explicitly set an access role for the new class

   创建角色以限制开发人员？通常，角色是指应用程序提供的用户和功能