spring security css样式不起作用。

时间:2021-11-03 15:45:54

I have a problem applying css to the web pages, using spring security (3.0.7 version). I have the following config:

我使用spring security(3.0.7版本)将css应用于web页面有一个问题。我有以下配置:

<http auto-config="true" use-expressions="true">
<intercept-url pattern="/faces/resources/**" filters="none"/>
<intercept-url pattern="/faces/inicio.xhtml" access="permitAll"/>
<intercept-url pattern="/faces/paginas/autenticacion/login.xhtml*" access="permitAll"/>
<intercept-url pattern="/faces/paginas/administracion/**" access="isAuthenticated()"/>
<intercept-url pattern="/faces/paginas/barco/**" access="isAuthenticated()"/>
<intercept-url pattern="/faces/paginas/catalogo/**" access="permitAll"/>
<intercept-url pattern="/faces/paginas/error/**" access="permitAll"/>
<intercept-url pattern="/faces/paginas/plantillas/**" access="permitAll"/>
<intercept-url pattern="/**" access="denyAll" />

By default, I deny access to the whole pages. Then, I apply authorization to the concrete pages specifying their URLs patterns, and they apply first in the given order, being the denyAll rule the last one.


  • "inicio.xhtml" is the homepage.
  • “inicio。xhtml”是主页。
  • "login.xhtml" is the login form.
  • ”登录。xhtml“是登录表单。
  • "administracion" and "barco" directories contain pages that should be accessed just by authenticated users.
  • “adminacion”和“barco”目录包含应该仅由经过身份验证的用户访问的页面。
  • "catalogo" directory contains pages that should be accessed by everyone.
  • “catalogo”目录包含每个人都应该访问的页面。
  • "error" directory contains the error pages of the app.
  • “error”目录包含应用程序的错误页面。
  • "plantillas" directory contains the template facelets pages of the app (I use JSF2).
  • “plantillas”目录包含应用程序的模板facelets页(我使用JSF2)。

The "resources" directory contain images, css files, and javascript. So in the first line I tell spring security not to use the security filter for it.

“资源”目录包含图像、css文件和javascript。所以在第一行,我告诉spring security不要使用安全过滤器。

However, with this configuration, when I run the app, css styles are not applied to pages!!


I've checked that if I turn the default authorization to "permitAll", it works. But I don't want to do that, beacuse it isn't a good practice.


Any idea why not working? I think it should work.


1 个解决方案



This works if you are adding stylesheets inline. For example:


<link type="text/css" rel="stylesheet" href="/resources/style.css" />

If you are using



tag, the url pattern should be like this


<intercept-url pattern="/faces/javax.faces.resource/**" filters="none"/>



This works if you are adding stylesheets inline. For example:


<link type="text/css" rel="stylesheet" href="/resources/style.css" />

If you are using



tag, the url pattern should be like this


<intercept-url pattern="/faces/javax.faces.resource/**" filters="none"/>