问题:Spring自定义登录返回403拒绝访问页面

时间:2017-02-26 12:02:21

标签: java spring spring-mvc spring-security

输入正确的凭据后,我收到403拒绝访问页面。这是一些重要文件。

弹簧security.xml文件

<security:http auto-config="true" use-expressions="true">

<security:intercept-url pattern="/manageIndustry/viewAddIndustryForm"
    access="hasRole('Recruiter')" />


<security:form-login login-page="/login/"
    default-target-url="/userpage/"
    authentication-failure-url="/accessdenied"
    username-parameter="emailId" 
    password-parameter="userPassword"
    login-processing-url="/j_spring_security_check"
    always-use-default-target="false" />

<security:logout invalidate-session="true" />
<security:csrf />
</security:http>

<security:authentication-manager>
    <security:authentication-provider
        user-service-ref="LoginService">
 </security:authentication-provider>

LoginService.java

@Override
public UserDetails loadUserByUsername(String emailID)
        throws UsernameNotFoundException {
    UserVO userVO=userDAO.getSingleUserByEmailId(emailID);
    if(userVO==null){
        return null;
    }
    List<SimpleGrantedAuthority> grantedAuthority=buildSimpleGrantedAuthority(userVO);
    UserDetails userDetails=new User(userVO.getEmailId(),userVO.getUserPassword(),userVO.getIsActive()== 1 ? true : false,true,true,true,grantedAuthority);
    return userDetails;
}

private List<SimpleGrantedAuthority> buildSimpleGrantedAuthority(
        final UserVO userVO) {
    List<SimpleGrantedAuthority> grantedAuthorities = new ArrayList<>();
    if (userVO.getRoleVO() != null) {
        grantedAuthorities.add(new SimpleGrantedAuthority(userVO
                .getRoleVO().getRoleName()));
    }
return grantedAuthorities;
}

登录Controller.java

@RequestMapping("/userpage")
public ModelAndView userpage() {
    ModelAndView modelAndView = new ModelAndView();
    Object principal = SecurityContextHolder.getContext()
            .getAuthentication().getPrincipal();
    log.info(principal);
    if (principal instanceof UserDetails) {
        Collection<? extends GrantedAuthority> authorities = ((UserDetails) principal)
                .getAuthorities();
        if (authorities.size() == 1) {
            final Iterator<? extends GrantedAuthority> iterator = authorities
                    .iterator();
            GrantedAuthority grantedAuthority = iterator.next();
            if (grantedAuthority.getAuthority().equals("Recruiter")) {
                IndustryVO industryVO = new IndustryVO();
                modelAndView.addObject("industryVO", industryVO);
                modelAndView.setViewName("addIndustry");
                return modelAndView;
            }
        }
    }
    modelAndView.setViewName("viewIndustry");
    return modelAndView;
}

IndustryController.java

@RequestMapping("/manageIndustry")
public class IndustryController {
@Autowired
IndustryDAO industryDAO;

@RequestMapping("/viewAddIndustryForm")
public ModelAndView viewAddIndustryForm() {
    Object principal=SecurityContextHolder.getContext().getAuthentication().getPrincipal();
    log.info("this is called");

    ModelAndView modelAndView = new ModelAndView();
    IndustryVO industryVO = new IndustryVO();
    modelAndView.addObject("industryVO", industryVO);
    modelAndView.setViewName("addIndustry");
    return modelAndView;
}

打开http://localhost:8080/JobPortal/login并输入正确的凭据后,我会将我重定向到addIndustry页面,考虑default-target-url="/userpage/"和登录控制器中的代码。

但是当我尝试直接访问addIndustry页面时没有登录即http://localhost:8080/JobPortal/manageIndustry/viewAddIndustryForm它会根据Spring-Security.xml中的配置打开登录页面,但即使提供了正确的凭据,我也会HTTP Status 403 - Access is denied

任何帮助将不胜感激。

感谢。

1 个答案:

答案 0 :(得分:0)

您使用的是哪个版本的spring security?据我记得在旧版本中你必须为用户角色添加前缀“ROLE_”,所以在你的buildSimpleGrantedAuthority中你应该这样做:

private List<SimpleGrantedAuthority> buildSimpleGrantedAuthority(
        final UserVO userVO) {
    List<SimpleGrantedAuthority> grantedAuthorities = new ArrayList<>();
    if (userVO.getRoleVO() != null) {
        grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_"+userVO
                .getRoleVO().getRoleName()));
    }
return grantedAuthorities;
}