我已经设置了我的Spring安全性,但是,我的HttpServletRequest无论如何,它都不是SecurityContextHolderAwareRequestWrapper的实例。
有趣的是,如果我直接使用SecurityContextHolder.getContext()。getAuthentication(),我就能获得所需的所有信息。
这是我的调试代码
logger.debug("Test Permission using AwareRequestWrapper object");
if (request instanceof SecurityContextHolderAwareRequestWrapper) {
logger.debug("The request is an instance of SpringSecurityAwareRequestWrapper");
SecurityContextHolderAwareRequestWrapper requestWrapper =
(SecurityContextHolderAwareRequestWrapper) request;
if(requestWrapper.isUserInRole("administrator"))
{
logger.debug("user is an admin");
}
else{
logger.debug("user is a user");
}
}
else{
logger.debug("The request is NOT an instance of SpringSecurityAwareRequestWrapper");
}
logger.debug("Test using directi SecurityContextHolder");
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if(auth!=null)
{
logger.debug("Authenticaiton object is not null");
baseResult = (LoginResult)auth.getPrincipal();
if(baseResult.isAdmin())
{
logger.debug("user is an admin");
}
else{
logger.debug("user is an user");
}
}
else{
logger.debug("Authentication object is null");
}
以下是log
中的结果2015-09-08 11:02:56,668 DEBUG [debugLogger] - Test Permission using AwareRequestWrapper object
2015-09-08 11:02:56,668 DEBUG [debugLogger] - The request is NOT an instance of SpringSecurityAwareRequestWrapper
2015-09-08 11:02:56,668 DEBUG [debugLogger] - Test using directi SecurityContextHolder
2015-09-08 11:02:56,668 DEBUG [debugLogger] - Authenticaiton object is not null
2015-09-08 11:02:56,668 DEBUG [debugLogger] - user is an admin
这是我的security.xml
<http auto-config="true" servlet-api-provision="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll"/>
<intercept-url pattern="/css/*" access="permitAll"/>
<intercept-url pattern="/images/*" access="permitAll"/>
<intercept-url pattern="/js/*" access="permitAll"/>
<intercept-url pattern="/resources/*.ttf" access="permitAll"/>
<intercept-url pattern="/fonts/*" access="permitAll"/>
<intercept-url pattern="/Logout.jsp" access="permitALL" />
<intercept-url pattern="/index" access="permitAll"/>
<intercept-url pattern="/**/*" access="isAuthenticated()"/>
<form-login
login-page="/"
default-target-url="/home"
authentication-failure-url="/logout"
login-processing-url="/register"/>
<csrf disabled="true"/>
</http>
<beans:bean id="customAuthenticationProvider"
class="mynamespace.CustomAuthenticationProvider" />
<authentication-manager>
<authentication-provider ref="customAuthenticationProvider"/>
</authentication-manager>
[编辑]:
FYI。在我打开日志中的Spring Security之后,我做了这个
2015-09-08 12:22:19,634 DEBUG [org.springframework.security.web.FilterChainProxy] - /home at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
所以,过滤器被解雇了,为什么我的控制器无法获得SecurityContextHolderAwareRequestWrapper?
由于