我有security-context.xml:
<security:http auto-config="true" >
<security:intercept-url pattern="/user*" access="hasRole('REGISTERED_USER')"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service id="userDetailsService">
<security:user password="password" name="user" authorities="REGISTERED_USER" />
<security:user password="password" name="manager" authorities="BOOKING_MANAGER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
正如预期的那样,当我尝试访问login时,我被重定向到/user。
但我希望在登录user/password后授予访问权限。它没有发生,我得到了:
HTTP Status 403 - Access is denied.
我理解错了什么?
答案 0 :(得分:0)
第一个选项:您必须添加前缀ROLE_:
<security:user password="password" name="user" authorities="ROLE_REGISTERED_USER" />
http://websystique.com/spring-security/spring-security-4-secure-view-layer-using-taglibs/
第二个选项:您可以重新定义RoleVoiter bean并使其无前缀地工作:
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg name="decisionVoters">
<list>
<bean class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value=""/>
</bean>
</list>
</constructor-arg>
</bean>