在我的春季启动项目中,我使用spring security tag libs。 当我以具有ROLE_USER角色的用户ID登录时,根据我的配置,它应该不显示ADMIN区域。
<sec:authorize url="/admin/**">
<p>This is shown who has a role ADMIN</p>
</sec:authorize>
这一部分。
但它没有用。
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<h2>Welcome Home <sec:authentication property="name"/></h2>
<h3>roles : <sec:authentication property="principal.authorities"/></h2>
<sec:authorize access="hasRole('ADMIN')">
<p>This is shown who has a role ADMIN</p>
</sec:authorize>
<sec:authorize access="hasRole('USER')">
<p>This is shown who has a role USER</p>
</sec:authorize>
<sec:authorize access="hasRole('TESTER')">
<p>This is shown who has a role TESTER</p>
</sec:authorize>
<sec:authorize url="/admin/**">
<p>This is shown whom can access to /admin/**</p>
</sec:authorize>
<sec:authorize url="/user/**">
<p>This is shown whom can access to /user/**</p>
</sec:authorize>
<sec:authorize url="/tester/**">
<p>This is shown whom can access to /tester/**</p>
</sec:authorize>
<form action="/logout" method="post">
<input type="submit" value="Sign Out"/>
</form>
</body>
</html>
[查看] [1]
我已经尝试了stackoverflow中有关此问题的所有答案,但我仍然无法修复此问题。 已经超过2周试图解决这个问题。 当我用百里香测试相同的java配置,它工作。但没有使用jsp。
这是我的设置 java spring安全配置
请帮我解决这个问题。
@Configuration
@EnableWebSecurity
public class WebSecurity {
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.expressionHandler(expressionHandler())
.antMatchers("/", "/home", "/test").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/user/**").hasAnyRole("USER")
.antMatchers("/tester/**").hasAnyRole("TESTER")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
@Bean
public RoleHierarchyImpl roleHierarchy() {
RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
String hierarchy ="ROLE_ADMIN > ROLE_USER and ROLE_USER > ROLE_TESTER";
roleHierarchy.setHierarchy(hierarchy);
return roleHierarchy;
}
// create two users, admin and user
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password("{noop}password").roles("USER")
.and()
.withUser("tester").password("{noop}tester").roles("TESTER")
.and()
.withUser("admin").password("{noop}admin").roles("ADMIN");
}
private SecurityExpressionHandler<FilterInvocation> expressionHandler() {
DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
defaultWebSecurityExpressionHandler.setRoleHierarchy(roleHierarchy());
return defaultWebSecurityExpressionHandler;
}
}
的build.gradle
buildscript {
ext {
springBootVersion = '2.0.2.RELEASE'
}
repositories {
mavenCentral()
}
dependencies {
classpath("org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}")
}
}
apply plugin: 'java'
apply plugin: 'eclipse'
apply plugin: 'org.springframework.boot'
apply plugin: 'io.spring.dependency-management'
group = 'com.bulky'
version = '0.0.1-SNAPSHOT'
sourceCompatibility = 1.8
repositories {
mavenCentral()
}
dependencies {
compile('org.springframework.boot:spring-boot-starter-web')
testCompile('org.springframework.boot:spring-boot-starter-test')
// tag::security[]
compile("org.springframework.boot:spring-boot-starter-security")
compile 'org.springframework.security:spring-security-taglibs:5.0.5.RELEASE'
// end::security[]
compile 'javax.servlet:jstl:1.2'
compile 'org.apache.tomcat.embed:tomcat-embed-jasper:9.0.0.M18'
}
ps:对不起英语不好
答案 0 :(得分:0)
除了不扩展 WebSecurityConfigurerAdapter 的WebSecurity类之外,所有安全配置都是正确的。我认为您需要首先扩展该类,以确保覆盖配置方法:
@Configuration
@EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
//Your Code here
}