我是Spring Security的新手,我正在开发一个需要使用Spring Security 3.2进行身份验证和授权的Web应用程序,身份验证部分工作正常,但授权却没有。下面是我的spring安全配置xml片段。
<authentication-manager>
<authentication-provider>
<password-encoder ref="encoder" />
<jdbc-user-service data-source-ref="myDataSource"
users-by-username-query=" SELECT email_address as username , password, enabled FROM users WHERE email_address = ? "
authorities-by-username-query=" SELECT u.email_address as username ,
r.role_name FROM users u
INNER JOIN user_roles ur
ON ur.user_id = u.user_id
INNER JOIN roles r
ON r.role_id = ur.role_id
WHERE u.email_address = ? "/>
</authentication-provider>
</authentication-manager>
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11" />
</beans:bean>
<http pattern="/resources/**" security="none" />
<http auto-config="true" use-expressions="true" create-session="ifRequired">
<form-login login-page="/" default-target-url="/admin/dashboard"
authentication-failure-url="/login-error" always-use-default-target="true" />
<!-- Security zones -->
<intercept-url pattern="/" access="isAnonymous()" />
<intercept-url pattern="/admin*" access="hasRole('ROLE_ADMIN')" />
<session-management invalid-session-url="/"
session-fixation-protection="newSession">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="true" />
</session-management>
<logout logout-success-url="/" delete-cookies="JSESSIONID"
invalidate-session="true" />
<access-denied-handler error-page="/403" />
</http>
使用此配置,除授权外,一切正常。我有两个用户名为 tim@abc.com(role = ADMIN)和 bob@abc.com(role = USER),但当我尝试使用 bob@abc.com 然后我也可以查看 admin / dashboard 页面,这不应该发生。
我已经推荐了许多教程和spring doc,但却无法找到确切的问题。请帮忙。
答案 0 :(得分:1)
将模式更改为“/ admin / *”
<intercept-url access="hasRole('ROLE_ADMIN')" />
您的default-target-url =“/ admin / dashboard”似乎令人困惑,因为每个用户在登录后都会重定向到/ admin / dashboard。当您使用bob@abc.com登录时,您可能会收到http UnAuthorized响应。