Spring安全角色

时间:2012-03-23 18:07:44

标签: spring-security

我的数据库中有用户角色表,其中包含'ROLE_ADMIN'和'ROLE_USER'等角色,在applicationContext-security.xml中,我将filterSecurityInterceptor定义为:

           

  <s:filter-chain pattern="/rpc/adminService"
    filters="
        authenticationProcessingFilter,
        filterSecurityInterceptor"/>

  <s:filter-chain pattern="/rpc/**"
    filters="
        concurrentSessionFilter, 
        httpSessionContextIntegrationFilter,
        authenticationProcessingFilter,
        rememberMeProcessingFilter,
        anonymousProcessingFilter,
        exceptionTranslationFilter,
        filterSecurityInterceptor" />

  <s:filter-chain pattern="/j_spring_security*"
    filters="
        concurrentSessionFilter, 
        httpSessionContextIntegrationFilter,
        logoutFilter,
        authenticationProcessingFilter,
        rememberMeProcessingFilter,
        anonymousProcessingFilter" />

  <s:filter-chain pattern="/**" filters="none" />
</s:filter-chain-map>


  <bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="objectDefinitionSource">
      <s:filter-invocation-definition-source>
        <s:intercept-url pattern="/rpc/userService" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <s:intercept-url pattern="/rpc/adminService**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <s:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
      </s:filter-invocation-definition-source>
    </property>
  </bean>

  <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
    <property name="sessionController" ref="concurrentSessionController" />
    <property name="providers">
      <list>
        <ref bean="rememberMeAuthenticationProvider" />
        <ref bean="daoAuthenticationProvider" />
      </list>
    </property>
  </bean>

 <bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="accountRepository" />
    <property name="passwordEncoder" ref="passwordEncoder" />
  </bean>

然而,当我尝试以管理员用户身份访问某些资源时,它被拒绝了,抱怨为:

An Authentication object was not found in the SecurityContext

如何将数据库中定义的角色转换为securityContext识别的角色?

2 个答案:

答案 0 :(得分:1)

HttpSessionContextIntegrationFilter的过滤器链中没有/rpc/adminService。当您看到问题时,您还没有说出请求URL是什么,但是如果您访问该确切的URL,则不会为请求提供安全上下文。

Spring Security过滤器链应始终包含此过滤器。

我也会提防你的

<s:filter-chain pattern="/**" filters="none" />

因为与先前模式不匹配的任何内容都没有安全上下文。

答案 1 :(得分:0)

你的配置中有这个吗?

<authentication-manager>
    <authentication-provider user-service-ref="accountRepository">
        <password-encoder ref="passwordEncoder"/>
    </authentication-provider>
</authentication-manager>

你看过这个: spring-security-3-database-authentication-with-hibernate

我正在使用它进行简单的测试:

<authentication-manager alias="authenticationManager" >
    <authentication-provider>
            <jdbc-user-service data-source-ref="dataSource"
                users-by-username-query =
                    "SELECT username, password, CASE Status WHEN 1 THEN 'true' ELSE 'false' END as enabled
                        FROM User
                        WHERE username = ?"
                authorities-by-username-query=
                    "SELECT username, CASE role WHEN 1 THEN 'ROLE_USER' WHEN 2 THEN 'ROLE_ADMIN' ELSE 'ROLE_GUEST' END as authorities
                        FROM User
                        WHERE username = ?" />       
        </authentication-provider>
</authentication-manager>
相关问题
最新问题