Question

我将弹簧安全性从弹簧安全性从3.4升级到5次。它像以前一样工作正常。当我点击我的security-context.xml文件中定义的角色的GET API时

<security:intercept-url method="GET"
            pattern="/readData/catlog/category/**"
            access="hasAnyRole('MasterAdmin','ManageCategories','ViewCategories')" />

当我点击网址http://192.168.1.85:8087/api/readData/catlog/category?start=0&aid=all&db=xyz时，会显示错误 禁止访问指定资源 然后我试了

<security:intercept-url method="GET"
            pattern="/readData/catlog/category/**" access="permitAll" />

网址正常。当我恢复到Spring安全3.4时，它正在处理角色。两种情况下的代码都相同。我也试图取消csrf

 <security:csrf disabled="true" />

spring security debug log shows

DEBUG: org.springframework.security.web.FilterChainProxy - /readData/catlog/category?start=0&count=50&hw=^&st=ALL&type=^&typeQuery=^&ic=false&aid=all&db=xyz at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /readData/catlog/category?start=0&count=50&hw=^&st=ALL&type=^&typeQuery=^&ic=false&aid=all&db=xyz at position 2 of 8 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /readData/catlog/category?start=0&count=50&hw=^&st=ALL&type=^&typeQuery=^&ic=false&aid=all&db=xyz at position 3 of 8 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /readData/catlog/category?start=0&count=50&hw=^&st=ALL&type=^&typeQuery=^&ic=false&aid=all&db=xyz at position 4 of 8 in additional filter chain; firing Filter: 'AuthenticationTokenProcessingFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /readData/catlog/category?start=0&count=50&hw=^&st=ALL&type=^&typeQuery=^&ic=false&aid=all&db=xyz at position 5 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /readData/catlog/category?start=0&count=50&hw=^&st=ALL&type=^&typeQuery=^&ic=false&aid=all&db=xyz at position 6 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG: org.springframework.security.web.authentication.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@7db2532a: Principal: org.springframework.security.core.userdetails.User@37ac6cbe: Username: 59c0bfc743d9461c695471f7; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ManageAGI,ManageAttributes,ManageBrands,ManageCategories,ManageImages,ManageKeywords,ManageProducts,ManageProfiles,ManageTransactions,ROLE_CATEGORIES,ROLE_CATEGORIE_ADD,ROLE_CONNECTION,ROLE_DEALS,ROLE_DEALS_VIEW,ROLE_JOBS,ROLE_JOBS_VIEW,ROLE_ORDER,ROLE_PROFILE,ViewAGI,ViewAttributes,ViewBrands,ViewCategories,ViewKeywords,ViewProducts,ViewProfiles,ViewTransactions,business; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@7798: RemoteIpAddress: 192.168.1.85; SessionId: null; Granted Authorities: ManageAGI, ManageAttributes, ManageBrands, ManageCategories, ManageImages, ManageKeywords, ManageProducts, ManageProfiles, ManageTransactions, ROLE_CATEGORIES, ROLE_CATEGORIE_ADD, ROLE_CONNECTION, ROLE_DEALS, ROLE_DEALS_VIEW, ROLE_JOBS, ROLE_JOBS_VIEW, ROLE_ORDER, ROLE_PROFILE, ViewAGI, ViewAttributes, ViewBrands, ViewCategories, ViewKeywords, ViewProducts, ViewProfiles, ViewTransactions, business'
DEBUG: org.springframework.security.web.FilterChainProxy - /readData/catlog/category?start=0&count=50&hw=^&st=ALL&type=^&typeQuery=^&ic=false&aid=all&db=xyz at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /readData/catlog/category?start=0&count=50&hw=^&st=ALL&type=^&typeQuery=^&ic=false&aid=all&db=xyz at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'PUT /profileService/gender/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/readData/catlog/category'; against '/profileService/register/basic'
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/readData/catlog/category'; against '/loginService/authenticate'
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/readData/catlog/category'; against '/profileService/contactDetails/emailid/verify'
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/readData/catlog/category'; against '/communicationService/**'
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'PUT /communicationService/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'POST /communicationService/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'DELETE /communicationService/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'POST /bookmark/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/readData/catlog/category'; against '/bookmark/**'
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'DELETE /bookmark/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'POST /business/key
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'DELETE /business/key/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'PUT /business/key
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'POST /follow/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'PUT /follow/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'DELETE /follow/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'POST /reportAbuse/admin/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'PUT /reportAbuse/admin/remove/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'POST /post/deal/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'PUT /post/deal/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'DELETE /post/deal/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/readData/catlog/category'; against '/post/deal/**'
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'POST /job/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'PUT /job/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'DELETE /job/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/readData/catlog/category'; against '/job/**'
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'POST /image/upload/csv/tkeyword/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'POST /readData/admin/phrases/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'PUT /readData/admin/phrases/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'PUT /readData/admin/old/phrases/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'PUT /readData/phrase/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'PUT /readData/bulk/phrases/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'POST /image/upload/csv/category/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'POST /image/upload/csv/attribute/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'PUT /admin/userName/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'PUT /readData/admin/agi/refresh/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'POST /image/upload/csv/keywordInfo/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'POST /image/upload/csv/brand/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Request 'GET /readData/catlog/category' doesn't match 'POST /image/upload/csv/product/**
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/readData/catlog/category'; against '/readData/catlog/keyword/**'
DEBUG: org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/readData/catlog/category'; against '/readData/catlog/category/**'
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /readData/catlog/category?start=0&count=50&hw=^&st=ALL&type=^&typeQuery=^&ic=false&aid=all&db=xyz; Attributes: [hasAnyRole('MasterAdmin','ManageCategories','ViewCategories')]
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@7db2532a: Principal: org.springframework.security.core.userdetails.User@37ac6cbe: Username: 59c0bfc743d9461c695471f7; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ManageAGI,ManageAttributes,ManageBrands,ManageCategories,ManageImages,ManageKeywords,ManageProducts,ManageProfiles,ManageTransactions,ROLE_CATEGORIES,ROLE_CATEGORIE_ADD,ROLE_CONNECTION,ROLE_DEALS,ROLE_DEALS_VIEW,ROLE_JOBS,ROLE_JOBS_VIEW,ROLE_ORDER,ROLE_PROFILE,ViewAGI,ViewAttributes,ViewBrands,ViewCategories,ViewKeywords,ViewProducts,ViewProfiles,ViewTransactions,business; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@7798: RemoteIpAddress: 192.168.1.85; SessionId: null; Granted Authorities: ManageAGI, ManageAttributes, ManageBrands, ManageCategories, ManageImages, ManageKeywords, ManageProducts, ManageProfiles, ManageTransactions, ROLE_CATEGORIES, ROLE_CATEGORIE_ADD, ROLE_CONNECTION, ROLE_DEALS, ROLE_DEALS_VIEW, ROLE_JOBS, ROLE_JOBS_VIEW, ROLE_ORDER, ROLE_PROFILE, ViewAGI, ViewAttributes, ViewBrands, ViewCategories, ViewKeywords, ViewProducts, ViewProfiles, ViewTransactions, business
DEBUG: org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@62b1faa8, returned: -1
DEBUG: org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at com.cheasyy.cofinding.util.AuthenticationTokenProcessingFilter.doFilter(AuthenticationTokenProcessingFilter.java:85)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:209)
    at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:244)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
DEBUG: org.springframework.security.web.header.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@70977edb
DEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed

security-context.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"

xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security.xsd">

<!-- SPRING SECURITY SETUP -->

<beans:bean id="userDao" class="com.myOrganization.demo.dao.UserDAO">
</beans:bean>

<beans:bean id="passwordEncoder"
    class="org.springframework.security.crypto.password.StandardPasswordEncoder">
    <beans:constructor-arg value="myPassword" />
</beans:bean>

<security:authentication-manager id="authenticationManager">
    <security:authentication-provider
        user-service-ref="userDao">
        <security:password-encoder ref="passwordEncoder"></security:password-encoder>
    </security:authentication-provider>
</security:authentication-manager>

<security:http realm="Protected API" use-expressions="true"
    auto-config="false" create-session="stateless" entry-point-ref="unauthorizedEntryPoint"
    authentication-manager-ref="authenticationManager">
    <security:custom-filter ref="authenticationTokenProcessingFilter"
        position="FORM_LOGIN_FILTER" />



    <security:intercept-url pattern="/profileService/register/basic"
        access="permitAll" />

    <security:intercept-url pattern="/loginService/authenticate"
        access="permitAll" />

    <!-- category -->
    <security:intercept-url method="GET"
        pattern="/readData/catlog/category/**"
        access="hasAnyRole('MasterAdmin','ManageCategories','ViewCategories')" />

    <security:csrf disabled="true" />


</security:http>
<beans:bean id="unauthorizedEntryPoint"
    class="com.myOrganization.demo.util.UnauthorizedEntryPoint" />

<beans:bean
    class="com.myOrganization.demo.util.AuthenticationTokenProcessingFilter"
    id="authenticationTokenProcessingFilter">
    <beans:constructor-arg ref="userDao" />
</beans:bean>

AuthenticationTokenProcessingFilter

@Override
public void doFilter(ServletRequest request, ServletResponse response,
        FilterChain chain) throws IOException, ServletException {
    HttpServletRequest httpRequest = this.getAsHttpRequest(request);
    HttpServletResponse httpResponse = this.getAsHttpResponse(response);

    String authToken = this.extractAuthTokenFromRequest(httpRequest);
    String userName = null;
    if (null == authToken)
        userName = null;
    else {
        String[] parts = authToken.split(":");

        if (parts.length > 4)
            userName = parts[0] + ":" + parts[4];
        else
            userName = parts[0];
    }

    RedisToken token = null;

    try {
        if (authToken != null && userName != null) {
            // get token from redis
            token = redisUserDAO.get(authToken);
            UserAgent userAgent = UserAgent
                    .parseUserAgentString(httpRequest
                            .getHeader("User-Agent"));

            Boolean isToken = TokenUtils.isToken(authToken, token,
                    userAgent.getBrowser().getName(), userAgent
                            .getOperatingSystem().getName());

            UserDetails userDetails = this.userService
                    .loadUserByUsername(userName);

            if (isToken) {
                UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
                        userDetails, null, userDetails.getAuthorities());
                authentication
                        .setDetails(new WebAuthenticationDetailsSource()
                                .buildDetails(httpRequest));
                SecurityContextHolder.getContext().setAuthentication(
                        authentication);
            }

        }

        chain.doFilter(request, response);

    } catch (InternalAuthenticationServiceException internalAuthenticationServiceException) {
        SecurityContextHolder.clearContext();
        logger.error("Internal authentication service exception",
                internalAuthenticationServiceException);
        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
    } catch (Exception e) {
        SecurityContextHolder.clearContext();
        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
    }
}

private HttpServletRequest getAsHttpRequest(ServletRequest request) {
    if (!(request instanceof HttpServletRequest)) {
        throw new RuntimeException("Expecting an HTTP request");
    }

    return (HttpServletRequest) request;
}

private HttpServletResponse getAsHttpResponse(ServletResponse response) {
    if (!(response instanceof HttpServletResponse)) {
        throw new RuntimeException("Expecting an HTTP request");
    }

    return (HttpServletResponse) response;
}

private String extractAuthTokenFromRequest(HttpServletRequest httpRequest) {
    /* Get token from header */
    String authToken = httpRequest.getHeader("X-Auth-Token");

    /* If token not found get it from request parameter */
    if (authToken == null) {
        authToken = httpRequest.getParameter("token");
    }

    return authToken;
}

Answer 1

根据documentation hasAnyRole，默认情况下会为每个值添加_ROLE。

您真正想要检查的是用户的权限。因此，您需要使用hasAnyAuthority：

<security:intercept-url method="GET"
        pattern="/readData/catlog/category/**"
        access="hasAnyAuthority('MasterAdmin','ManageCategories','ViewCategories')" />

从3.4升级到5后的Spring安全角色问题

1 个答案: