我正在尝试使用Spring 3设置数据库用户身份验证。 现在使用Spring包含登录表单的东西:
<form action="<c:url value="/j_spring_security_check" />" method="POST">
<fieldset>
<input name="j_username" type="text" placeholder="name" autofocus="autofocus" /><br/>
<input name="j_password" type="password" placeholder="password" /><br/>
<input type="submit" value="Login" />
</fieldset>
</form>
根据日志(从我的userService类中实现Spring UserDetailsService接口的日志记录),这导致从数据库中获取用户并分配角色(使用UserDetails.toString在日志中查看)。
当我点击应用程序URL时,我会正确地发送到登录页面。我登录,无论URL如何,我都会被重定向到我的accessDenied页面。我在安全配置设置中做错了吗?
我的安全配置如下: (已删除引用架构等,因此我被允许发布 - 它们被选为URL!)
<global-method-security pre-post-annotations="enabled"></global-method-security>
<http auto-config="true" create-session="ifRequired" use-expressions="true" access-denied-page="/accessDenied">
<logout invalidate-session="true" logout-success-url="/loggedOut" />
<anonymous/>
<form-login login-page="/login" authentication-failure-url="/login"/>
<intercept-url pattern="/reports/**" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/routes" method="GET" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/data/routes" method="DELETE" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/routes" method="POST" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/routes" method="PUT" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/route/**" method="GET" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/data/route/**" method="DELETE" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/route/**" method="POST" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/route/**" method="PUT" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/patrolsummaries" method="GET" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/data/patrolsummaries" method="DELETE" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/patrolsummaries" method="POST" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/patrolsummaries" method="PUT" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/patrolsummary/**" method="GET" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/data/patrolsummary/**" method="DELETE" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/patrolsummary/**" method="POST" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/patrolsummary/**" method="PUT" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/guards" method="GET" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/data/guards" method="DELETE" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/guards" method="POST" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/guards" method="PUT" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/guard/**" method="GET" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/data/guard/**" method="DELETE" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/guard/**" method="POST" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/data/guard/**" method="PUT" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/include/js/pages/admin/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/include/js/pages/all.js" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/include/js/pages/**" access="hasRole('ROLE_REPORTS')" />
<intercept-url pattern="/include/js/**" access="hasRole('ROLE_ANONYMOUS')" />
<intercept-url pattern="/public/**" filters="none"/>
<intercept-url pattern="/login" filters="none"/>
<intercept-url pattern="/loggedOut" filters="none"/>
<intercept-url pattern="/include/css/**" filters="none"/>
<intercept-url pattern="/include/img/**" filters="none"/>
<intercept-url pattern="/include/**" access="hasRole('ROLE_REPORTS')" />
</http>
<beans:import resource="hibernate-context.xml" />
<context:component-scan base-package="uk.co.romar.guardian.services" />
<beans:bean id="userService" class="uk.co.romar.guardian.services.UserServiceImpl" />
<beans:bean id="pwdEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />
<!-- <beans:bean id="saltSource" class="??"/> -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userService">
</authentication-provider>
</authentication-manager>
</beans:beans>
答案 0 :(得分:1)
感谢大家的投入。
问题出在我自己的代码中,我将数据库hibernate对象中的角色/授权复制到loadUserByUsername实现将返回的UserDetails对象。
Spring正在表现,因为我的代码中存在错误,它只是将不正确的角色分配给UserDetails对象。
Spring / config是正确的。