Spring Security 4.1升级 - HttpServletRequest isUserInRole返回false

时间:2016-09-12 14:59:40

标签: spring spring-security

登录成功后,HttpServletRequest类的isUserInRole方法返回false。它在Spring Security版本升级到4.1.3之前返回true。

spring-security-core-4.1.3,spring-security-web-4.1.3和spring-security-config-4.1.3 jar存在于类路径中

弹簧security.xml文件

 ...
<spring:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
</spring:bean>

<spring:bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter"/>

<spring:bean id="webExpressionVoter" class="org.springframework.security.web.access.expression.WebExpressionVoter" />

<spring:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
      <spring:constructor-arg>
       <spring:list>
            <spring:ref bean="roleVoter"/>
            <spring:ref bean="authenticatedVoter"/>
            <spring:ref bean="webExpressionVoter"/>
        </spring:list>
  </spring:constructor-arg>
</spring:bean>

<security:http access-decision-manager-ref="accessDecisionManager" use-expressions="true">

    <security:intercept-url pattern="/login.jsp" access="hasAuthority('ROLE_ANONYMOUS')" />

    <security:intercept-url pattern="/index*" access="hasAuthority('ROLE_USER')"/>

    <security:form-login login-page="/login.jsp"
        username-parameter="j_username"
        password-parameter="j_password"
        login-processing-url="/j_spring_security_check"
        authentication-failure-url="/accessDenied.jsp" />

    <security:logout invalidate-session="true"  delete-cookies="JSESSIONID"/>

    <security:csrf disabled="true"/>

</security:http>

<security:authentication-manager alias="secAuthManager">
    <security:authentication-provider ref="securityProvider" />
</security:authentication-manager>

<spring:bean id="securityProvider" class="com.SecurityProvider"/>

...

类Sec​​urityProvider 

    public class SecurityProvider implements AuthenticationProvider {

        @Override
        public Authentication authenticate(Authentication authentication) throws AuthenticationException {

...

                List<GrantedAuthority> grantedAuthorities = ...                 

return new UsernamePasswordAuthenticationToken(user, password, grantedAuthorities);
        }

        @Override
        public boolean supports(Class<?> authentication) {
            return authentication.equals(UsernamePasswordAuthenticationToken.class);
        }
    }

如果我用3.2.9版本替换4.1.3安全罐并从Spring-Security.xml中删除<security:csrf disabled="true"/>,那么它可以工作。

1 个答案:

答案 0 :(得分:0)

ROLE_中为每个GrantedAuthority添加List<GrantedAuthority> grantedAuthorities前缀后问题得到解决。

相关问题
最新问题