我正在学习使用Spring Security,并将其集成到Web应用程序中。我正在使用Spring和Spring Security 3.1.2。
如果我在安全配置中指定access="ROLE_USER",则身份验证正常,即我首先收到401,登录后,我可以访问资源。
<http>
<http-basic />
<logout />
<intercept-url
pattern="/exports/**"
access="ROLE_USER" />
</http>
但是,如果我切换到EL,我的检查将不再起作用:
<http use-expressions="true">
<http-basic />
<logout />
<intercept-url
pattern="/exports/**"
access="hasRole('USER')" />
</http>
我认为这两个配置是等效的,但第二个配置不授权查看资源(403错误)。
查看日志:
DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@844f42c6: Principal: org.springframework.security.core.userdetails.User@c052d588: Username: test; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_USER
DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@1a15597, returned: -1
DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
如果我理解正确,尽管认证有效,但WebExpressionVoter仍在投票反对我。
我错过了什么?
答案 0 :(得分:1)