输入正确的凭据后,我收到403拒绝访问页面。这是一些重要文件。
弹簧security.xml文件
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/manageIndustry/viewAddIndustryForm"
access="hasRole('Recruiter')" />
<security:form-login login-page="/login/"
default-target-url="/userpage/"
authentication-failure-url="/accessdenied"
username-parameter="emailId"
password-parameter="userPassword"
login-processing-url="/j_spring_security_check"
always-use-default-target="false" />
<security:logout invalidate-session="true" />
<security:csrf />
</security:http>
<security:authentication-manager>
<security:authentication-provider
user-service-ref="LoginService">
</security:authentication-provider>
LoginService.java
@Override
public UserDetails loadUserByUsername(String emailID)
throws UsernameNotFoundException {
UserVO userVO=userDAO.getSingleUserByEmailId(emailID);
if(userVO==null){
return null;
}
List<SimpleGrantedAuthority> grantedAuthority=buildSimpleGrantedAuthority(userVO);
UserDetails userDetails=new User(userVO.getEmailId(),userVO.getUserPassword(),userVO.getIsActive()== 1 ? true : false,true,true,true,grantedAuthority);
return userDetails;
}
private List<SimpleGrantedAuthority> buildSimpleGrantedAuthority(
final UserVO userVO) {
List<SimpleGrantedAuthority> grantedAuthorities = new ArrayList<>();
if (userVO.getRoleVO() != null) {
grantedAuthorities.add(new SimpleGrantedAuthority(userVO
.getRoleVO().getRoleName()));
}
return grantedAuthorities;
}
登录Controller.java
@RequestMapping("/userpage")
public ModelAndView userpage() {
ModelAndView modelAndView = new ModelAndView();
Object principal = SecurityContextHolder.getContext()
.getAuthentication().getPrincipal();
log.info(principal);
if (principal instanceof UserDetails) {
Collection<? extends GrantedAuthority> authorities = ((UserDetails) principal)
.getAuthorities();
if (authorities.size() == 1) {
final Iterator<? extends GrantedAuthority> iterator = authorities
.iterator();
GrantedAuthority grantedAuthority = iterator.next();
if (grantedAuthority.getAuthority().equals("Recruiter")) {
IndustryVO industryVO = new IndustryVO();
modelAndView.addObject("industryVO", industryVO);
modelAndView.setViewName("addIndustry");
return modelAndView;
}
}
}
modelAndView.setViewName("viewIndustry");
return modelAndView;
}
IndustryController.java
@RequestMapping("/manageIndustry")
public class IndustryController {
@Autowired
IndustryDAO industryDAO;
@RequestMapping("/viewAddIndustryForm")
public ModelAndView viewAddIndustryForm() {
Object principal=SecurityContextHolder.getContext().getAuthentication().getPrincipal();
log.info("this is called");
ModelAndView modelAndView = new ModelAndView();
IndustryVO industryVO = new IndustryVO();
modelAndView.addObject("industryVO", industryVO);
modelAndView.setViewName("addIndustry");
return modelAndView;
}
打开http://localhost:8080/JobPortal/login
并输入正确的凭据后,我会将我重定向到addIndustry页面,考虑default-target-url="/userpage/"
和登录控制器中的代码。
但是当我尝试直接访问addIndustry页面时没有登录即http://localhost:8080/JobPortal/manageIndustry/viewAddIndustryForm
它会根据Spring-Security.xml
中的配置打开登录页面,但即使提供了正确的凭据,我也会HTTP Status 403 - Access is denied
任何帮助将不胜感激。
感谢。
答案 0 :(得分:0)
您使用的是哪个版本的spring security?据我记得在旧版本中你必须为用户角色添加前缀“ROLE_”,所以在你的buildSimpleGrantedAuthority中你应该这样做:
private List<SimpleGrantedAuthority> buildSimpleGrantedAuthority(
final UserVO userVO) {
List<SimpleGrantedAuthority> grantedAuthorities = new ArrayList<>();
if (userVO.getRoleVO() != null) {
grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_"+userVO
.getRoleVO().getRoleName()));
}
return grantedAuthorities;
}