基于具有jdbc身份验证的角色重定向到控制器中的url

Question

我正在学习Spring Security。我已经根据github骨架项目制作了标准的登录和注册页面。只要我在DB中只使用了一个角色，我就可以通过我所获得的一个角色轻松管理默认的成功URL。但是现在我想根据ADMIN和USER角色添加两个默认URL。 我在这里已经阅读了这个determine target url based on roles in spring security 3.1答案，并尝试实现它，但isUserInRole()方法始终返回false值。我正在使用jdbc身份验证。

我的MVC配置：

@Configuration
@ComponentScan(basePackages={"hu.kreszapp"})
public class MvcConfig extends WebMvcConfigurerAdapter{

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
        return bCryptPasswordEncoder;
    }

}

我的安全配置：

@Configuration
@EnableWebSecurity
@ComponentScan(basePackages={"hu.kreszapp"})
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private BCryptPasswordEncoder bCryptPasswordEncoder;

    @Autowired
    private DataSource dataSource;

    @Value("${spring.queries.users-query}")
    private String usersQuery;

    @Value("${spring.queries.roles-query}")
    private String rolesQuery;


    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.
                jdbcAuthentication()
                .usersByUsernameQuery(usersQuery)
                .authoritiesByUsernameQuery(rolesQuery)
                .dataSource(dataSource)
                .passwordEncoder(bCryptPasswordEncoder);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.
                sessionManagement() //session management
                .sessionCreationPolicy(SessionCreationPolicy.ALWAYS) //session management
                .and()
                .authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/login").permitAll()
                .antMatchers("/registration").permitAll()
                .antMatchers("/home").hasRole("ADMIN")//hasAuthority("ADMIN")
                .antMatchers("/game").hasRole("USER").anyRequest()//hasAuthority("USER").anyRequest()
                .authenticated().and().csrf().disable().formLogin()
                .loginPage("/login").failureUrl("/login?error=true")
                .defaultSuccessUrl("/default")
                .usernameParameter("email")
                .passwordParameter("password")
                .and().logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/").and().exceptionHandling()
                .accessDeniedPage("/access-denied");
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
                .ignoring()
                .antMatchers("/resources/**", "/static/**", "/css/**", "/js/**", "/templates/images/**");
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER");

        auth
                .inMemoryAuthentication()
                .withUser("admin").password("admin").roles("ADMIN");

    }
}

我的控制器：

 @RequestMapping(value="/home", method = RequestMethod.GET)
    public ModelAndView home(){
        ModelAndView modelAndView = new ModelAndView();
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        User user = userService.findUserByEmail(auth.getName());
        modelAndView.addObject("userName", "Welcome " + user.getUsername() +  " (" + user.getEmail() + ")");
        modelAndView.addObject("adminMessage","Content Available Only for Users with Admin Role");
        modelAndView.setViewName("/home");

        return modelAndView;
    }

    @RequestMapping(value="/game", method = RequestMethod.GET)
    public ModelAndView game(){
        ModelAndView modelAndView = new ModelAndView();
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        User user = userService.findUserByEmail(auth.getName());
        modelAndView.addObject("userName", "Welcome " + user.getUsername() +  " (" + user.getEmail() + ")");
        modelAndView.addObject("adminMessage","Content Available Only for Users with Admin Role");
        modelAndView.setViewName("/game");

        return modelAndView;
    }

    @RequestMapping(value="/default")
    public String default(HttpServletRequest request){
        Principal u = request.getUserPrincipal();
        logger.info("user principal:" + u.toString());

        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        String role = auth.getAuthorities().toString();
        logger.info("Role:" + u.toString());


        boolean r1 = request.isUserInRole("USER");
        boolean r2 = request.isUserInRole("ADMIN");
        boolean r3 =request.isUserInRole("1");
        boolean r4 =request.isUserInRole("2");

        logger.info("isUserInRole values:"+ r1 + " " + r2 + " " + r3 +" "+ r4);



        if(request.isUserInRole("ADMIN")) {
            logger.info("Admin check lefut!");
            return "home";
        }
        logger.warn("Admin check nem fut let!");

        return "game";
    }

在我的默认控制器中 - 它代表按角色重定向到指定的页面 - request.isUserInRole("ADMIN")方法始终返回false值...但是我的数据库中的用户具有ADMIN角色和日志还证明我指定的用户已授予Admin角色：

Principal u = request.getUserPrincipal();
    logger.info("user principal:" + u.toString());

    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    String role = auth.getAuthorities().toString();
    logger.info("Role:" + u.toString());

我的问题是，为什么此方法无法通知ADMIN用户？如何通过jdbc身份验证的角色设置重定向？

提前谢谢

Answer 1

Spring Security使用ROLE_作为角色的前缀。代码request.isUserInRole("USER")将寻找ROLE_USER。如果您的数据库中的角色也没有前缀，则它们将不相等。

您还可以在configure(HttpSecurity http)方法中设置Spring Security使用的前缀。

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .servletApi().rolePrefix("MY_ROLE_PREFIX_");
}

http://docs.spring.io/spring-security/site/docs/current/apidocs/org/springframework/security/config/annotation/web/builders/HttpSecurity.html