我试图仅在允许用户角色的情况下显示链接。 但是链接不会被隐藏,并且所有角色都可以显示。
在这里看到了很多类似的查询,但没有一个解决方案在起作用。请告知我所缺少的。
配置。
@Configuration
@EnableWebSecurity
public class SecConfig extends WebSecurityConfigurerAdapter{
private final String USER = "USER";
private final String ADMIN = "ADMIN";
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/").hasAnyRole(USER, ADMIN)
.antMatchers("/closed").hasRole(ADMIN).and()
.formLogin().defaultSuccessUrl("/");
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("jane").password(passwordEncoder().encode("qwe")).roles(ADMIN, USER).and()
.withUser("john").password(passwordEncoder().encode("qwe")).roles(USER);
}
@Bean
public BCryptPasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
}
POM
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
HTML
<a th:href="@{/closed}">Go to closed</a>
<br/><br/>
<form th:action="@{/logout}" method="post">
<input type="submit" value="Log out">
</form>
<br/>
<h2>Welcome</h2>
<p>Spring Security Thymeleaf</p>
<div sec:authorize="hasRole('USER')">Text visible to user.</div>
<div sec:authorize="hasRole('ADMIN')">Text visible to admin.</div>
<div sec:authorize="isAuthenticated()">
Text visible only to authenticated users.
</div>
Authenticated username:
<div sec:authentication="name"></div>
Authenticated user roles:
<div sec:authentication="principal.authorities"></div>
即使Jane没有管理员权限,上面的所有内容也会显示。另外,甚至她的角色和用户名也不会显示。
我还尝试了如下配置方言,这没有什么区别。
@Configuration
public class LeafConfig {
@Bean
public SpringSecurityDialect springSecurityDialect(){
return new SpringSecurityDialect();
}
}
以下是Jane或John显示的内容。没什么区别:
Welcome
Spring Security Thymeleaf
Text visible to user.
Text visible to admin.
Text visible only to authenticated users.
Authenticated username:
Authenticated user roles:
答案 0 :(得分:1)
由于您正在使用Spring Security Extras,因此可以代替sec:authorization尝试使用${#authorization.expression('hasRole(''ROLE_ADMIN'')'}。例如。
<div th:if="${#authorization.expression('hasRole(''USER'')'}">Text visible to user.</div>
<div th:if="${#authorization.expression('hasRole(''ADMIN'')'}">Text visible to admin.</div>
<div th:if="${#authorization.expression('isAuthenticated()')}">
Text visible only to authenticated users.
</div>
如果您使用权限而不是角色,则以下代码可以解决问题。
<div th:if="${#authorization.expression('hasAuthority(''ADMIN'')')}">ADMIN</div>
<div th:if="${#authorization.expression('hasAuthority(''USER'')')}">USER</div>
<div th:if="${#authorization.expression('isAuthenticated()')}">
Text visible only to authenticated users.
</div>
</div>
关于配置,请在org.thymeleaf.extras中将thymeleaf-extras-springsecurity5的{{1}}更改为.pom,然后需要在配置中添加Spring Dialect @Bean。
POM
<dependencies>
...
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
...
</dependencies>
LeafConfig
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
@Configuration
public class LeafConfig {
@Bean
public SpringSecurityDialect springSecurityDialect(){
return new SpringSecurityDialect();
}
}
这些更改之后,一切都会按预期进行。
答案 1 :(得分:0)
您应该按如下方式使用它:
<sec:authorize access="hasRole('ADMIN')">
<div>
This content will only be visible to users who have
the "ADMIN" authority in their list of GrantedAuthority's.
</div>
</sec:authorize>