匹配的通配符是嚴格的，但沒有聲明可以找到元素的安全性：filter-invocation-definition-source'

Question

我有一個Spring 3.2.4應用程序，允許公共用戶（無需登錄）在表單中搜索。我想CSRF保護添加到該表單，所以我在applicationContext.xml中

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xmlns:aop="http://www.springframework.org/schema/aop" 
     xmlns:jee="http://www.springframework.org/schema/jee" 
     xmlns:security="http://www.springframework.org/schema/security" 

    xsi:schemaLocation=" 
     http://www.springframework.org/schema/beans 
     http://www.springframework.org/schema/beans/spring-beans-2.5.xsd 
     http://www.springframework.org/schema/aop 
     http://www.springframework.org/schema/aop/spring-aop-2.5.xsd 
     http://www.springframework.org/schema/jee 
     http://www.springframework.org/schema/jee/spring-jee-2.5.xsd 
     http://www.springframework.org/schema/security 
     http://www.springframework.org/schema/security/spring-security-4.0.xsd"> 



    <security:http auto-config='true'> 
     <security:intercept-url pattern="/**" access="permitAll" /> 
     <security:csrf/> 
    </security:http> 

    <bean id="anonymousProcessingFilter"  
      class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter"> 
     <property name="key" value="foobar"/> 
     <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/> 
    </bean> 

    <bean id="anonymousAuthenticationProvider" 
     class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider"> 
     <property name="key" value="foobar"/> 
    </bean> 


    <bean id="filterInvocationInterceptor" 
     class="org.springframework.security.intercept.web.FilterSecurityInterceptor"> 
      <property name="authenticationManager" ref="authenticationManager"/> 
      <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/> 
      <property name="objectDefinitionSource"> 

     <security:filter-invocation-definition-source> 
      <security:intercept-url pattern="/**" access='ROLE_ANONYMOUS,ROLE_USER'/>    
     </security:filter-invocation-definition-source> 
    </property> 
    </bean> 

添加此聲明，但是在編譯項目時，我得到這個錯誤，但我當然不需要，因爲任何類型的AuthenticationManager的沒有認證的用戶在應用程序中

org.xml.sax.SAXParseException; lineNumber: 43; columnNumber: 52; cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'security:filter-invocation-definition-source'.:org.xml.sax.SAXParseException:cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'security:filter-invocation-definition-source'. 

Answer 1

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xmlns:aop="http://www.springframework.org/schema/aop" 
     xmlns:jee="http://www.springframework.org/schema/jee" 
     xmlns:security="http://www.springframework.org/schema/security" 

    xsi:schemaLocation=" 
     http://www.springframework.org/schema/beans 
     http://www.springframework.org/schema/beans/spring-beans-2.5.xsd 
     http://www.springframework.org/schema/aop 
     http://www.springframework.org/schema/aop/spring-aop-2.5.xsd 
     http://www.springframework.org/schema/jee 
     http://www.springframework.org/schema/jee/spring-jee-2.5.xsd 
     http://www.springframework.org/schema/security 
     http://www.springframework.org/schema/security/spring-security-4.0.xsd"> 



    <security:global-method-security secured-annotations="enabled" /> 

    <security:http auto-config="true"> 
     <!-- Restrict URLs based on role --> 
     <security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
     <security:intercept-url pattern="/logoutSuccess*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 

     <security:intercept-url pattern="/css/main.css" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
     <security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 

     <security:intercept-url pattern="/**" access="ROLE_USER" /> 

     <!-- Override default login and logout pages --> 
     <security:form-login login-page="/login.html" 
          login-processing-url="/loginProcess" 
          default-target-url="/index.jsp" 
          authentication-failure-url="/login.html?login_error=1" /> 
     <security:logout logout-url="/logout" logout-success-url="/logoutSuccess.html" /> 
    </security:http> 

    <security:authentication-manager> 
     <security:authentication-provider > 
      <security:jdbc-user-service data-source-ref="dataSource" /> 
     </security:authentication-provider> 
    </security:authentication-manager>