我对弹簧安全感到陌生,所以请耐心等待。如果有人可以指导我,我愿意接受建议,使这个问题更加具体。
我的问题是我在Spring安全性中有一个intercept-url配置,但即使用户具有必需的角色,它总是会重定向到拒绝访问的页面。这是我的Spring安全配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.1.xsd">
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<session-management invalid-session-url="/login"
session-fixation-protection="newSession">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="true" />
</session-management>
<form-login login-page="/login" authentication-failure-url="/login?error"
username-parameter="emailId" password-parameter="pwd" />
<logout logout-success-url="/login?logout" delete-cookies="JSESSIONID" />
<csrf token-repository-ref="tokenRepository" />
</http>
<authentication-manager>
<authentication-provider ref="customAuthenticationProvider" />
</authentication-manager>
</beans:beans>
通过我的研究,我觉得上面的配置没有任何问题,但由于我使用的自定义UserDetails对象,它可能是一个问题。这是POJO:
public class CustomUser implements UserDetails {
private static final long serialVersionUID = 1L;
private String userID;
private String emailId;
private String password;
private boolean enabled = true;
private boolean accountNonExpired = true;
private boolean credentialsNonExpired = true;
private boolean accountNonLocked = true;
private List<Role> authorities;
@Override
public List<Role> getAuthorities() {
return authorities;
}
//other setters and getters
}
角色类:
public class Role implements GrantedAuthority {
private static final long serialVersionUID = 1L;
private String name;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getAuthority() {
return this.name;
}
}
我还有一个自定义UserDAO类,用于填充CustomUser POJO,我已经确认在设置值时没有问题。
这是我的原则(如日志中所述):
Principal: CustomUser [userID=user1, emailId=test@test.com, password=pwd, enabled=true, accountNonExpired=true, credentialsNonExpired=true, authorities=[Role [name=ADMIN]]];
页面总是被拒绝的原因是什么?
感谢您花时间阅读整篇文章:)
答案 0 :(得分:1)
<强>更改
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
以
<intercept-url pattern="/admin/**" access="hasRole('ADMIN')" />
修改
如果先前的解决方案没有成功,那么请尝试这种方式。
在你的角色中看到它返回&#34; ADMIN&#34;你希望&#34; ROLE_ADMIN&#34;
将角色名称更改为表格
&#34; ADMIN&#34;到&#34; ROLE_ADMIN&#34;