I am studying Spring Security and I am finding some difficulties understand the intercept-url's concept and to answer to this questiong that I find on my study material:
In which order do you have to write multiple intercept-url's?
So, on my study material, I found this practical example:
<beans>
<security:http>
<security:intercept-url pattern="/accounts/edit*"
access="ROLE_ADMIN" />
<security:intercept-url pattern="/accounts/account*"
access="ROLE_ADMIN,ROLE_USER" />
<security:intercept-url pattern="/accounts/**"
access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/customers/**"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
</security:http>
</beans>
And it is specified that:
intercept-urls are evaluated in the order listed: first match is used, put specific matches first.
But what exatly means?
So I know that the intercept-url's of the security namespace are used to define what URL are to secure (correct me if I am asserting wrong thing).
So in the previous example are secured these URLs:
- /accounts/edit*
- /accounts/account*
- /accounts/**
- /customers/**
But what exatly represent the following access roles?
For example for the /accounts/edit* URL is specified the access="ROLE_ADMIN"
For the /accounts/account* URL is specified the access="ROLE_ADMIN,ROLE_USER"
and so on. What exactly means? I think that it means, but I am abssolutly not sure about it, that if an user try to access to the /accounts/edit* it have to be an administrator instead if he try to access to /accounts/account* it could be an administrator but also a normal user.
Is this interpretation correct or is it not correct?
If it is correct how can I specify if an user "belong" to ROLE_ADMIN or ROLE_USER? What exactly represent and where is it definied?
And what exactly means that intercept-urls are evaluated in the order listed: first match is used, put specific matches first ?
Aucun commentaire:
Enregistrer un commentaire