Spring Security拦截URL无法使用自定义UserDetails对象

时间:2016-09-22 13:01:50

标签: java spring-mvc spring-security

我对弹簧安全感到陌生,所以请耐心等待。如果有人可以指导我,我愿意接受建议,使这个问题更加具体。

我的问题是我在Spring安全性中有一个intercept-url配置,但即使用户具有必需的角色,它总是会重定向到拒绝访问的页面。这是我的Spring安全配置:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-4.1.xsd">

    <!-- enable use-expressions -->
    <http auto-config="true" use-expressions="true">

        <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />

        <!-- access denied page -->
        <access-denied-handler error-page="/403" />

        <session-management invalid-session-url="/login"
            session-fixation-protection="newSession">
            <concurrency-control max-sessions="1"
                error-if-maximum-exceeded="true" />
        </session-management>

        <form-login login-page="/login" authentication-failure-url="/login?error"
            username-parameter="emailId" password-parameter="pwd" />
        <logout logout-success-url="/login?logout" delete-cookies="JSESSIONID" />
        <csrf token-repository-ref="tokenRepository" />
    </http>

    <authentication-manager>
        <authentication-provider ref="customAuthenticationProvider" />
    </authentication-manager>

</beans:beans>

通过我的研究,我觉得上面的配置没有任何问题,但由于我使用的自定义UserDetails对象,它可能是一个问题。这是POJO:

public class CustomUser implements UserDetails {

    private static final long serialVersionUID = 1L;
    private String userID;
    private String emailId;
    private String password;
    private boolean enabled = true;
    private boolean accountNonExpired = true;
    private boolean credentialsNonExpired = true;
    private boolean accountNonLocked = true;
    private List<Role> authorities;

    @Override
    public List<Role> getAuthorities() {
        return authorities;
    }
    //other setters and getters
}

角色类:

public class Role implements GrantedAuthority {

    private static final long serialVersionUID = 1L;
    private String name;

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }

    public String getAuthority() {
        return this.name;
    }
}

我还有一个自定义UserDAO类,用于填充CustomUser POJO,我已经确认在设置值时没有问题。

这是我的原则(如日志中所述):

Principal: CustomUser [userID=user1, emailId=test@test.com, password=pwd, enabled=true, accountNonExpired=true, credentialsNonExpired=true, authorities=[Role [name=ADMIN]]];

页面总是被拒绝的原因是什么?

感谢您花时间阅读整篇文章:)

1 个答案:

答案 0 :(得分:1)

<强>更改

<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />

<intercept-url pattern="/admin/**" access="hasRole('ADMIN')" />

修改

如果先前的解决方案没有成功,那么请尝试这种方式。

在你的角色中看到它返回&#34; ADMIN&#34;你希望&#34; ROLE_ADMIN&#34;

将角色名称更改为表格

&#34; ADMIN&#34;到&#34; ROLE_ADMIN&#34;