只有在允许用户角色的情况下,我才会尝试显示链接。但链接并没有隐藏,任何角色的所有内容都会显示出来。
在这里看到了这么多类似的查询,但没有一个解决方案有效。请告诉我缺少什么。
配置。
@Configuration
@EnableWebSecurity
public class SecConfig extends WebSecurityConfigurerAdapter{
private final String USER = "USER";
private final String ADMIN = "ADMIN";
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/").hasAnyRole(USER, ADMIN)
.antMatchers("/closed").hasRole(ADMIN).and()
.formLogin().defaultSuccessUrl("/");
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("jane").password(passwordEncoder().encode("qwe")).roles(ADMIN, USER).and()
.withUser("john").password(passwordEncoder().encode("qwe")).roles(USER);
}
@Bean
public BCryptPasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
}
POM-
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
HTML
<a th:href="@{/closed}">Go to closed</a>
<br/><br/>
<form th:action="@{/logout}" method="post">
<input type="submit" value="Log out">
</form>
<br/>
<h2>Welcome</h2>
<p>Spring Security Thymeleaf</p>
<div sec:authorize="hasRole('USER')">Text visible to user.</div>
<div sec:authorize="hasRole('ADMIN')">Text visible to admin.</div>
<div sec:authorize="isAuthenticated()">
Text visible only to authenticated users.
</div>
Authenticated username:
<div sec:authentication="name"></div>
Authenticated user roles:
<div sec:authentication="principal.authorities"></div>
上面的所有内容都显示给Jane,即使她没有管理员访问权限。此外,甚至她的角色和用户名也没有显示。
我还试着如下配置方言,这没有什么区别。
@Configuration
public class LeafConfig {
@Bean
public SpringSecurityDialect springSecurityDialect(){
return new SpringSecurityDialect();
}
}
以下是为简或约翰展示的内容。,无差异:
Welcome
Spring Security Thymeleaf
Text visible to user.
Text visible to admin.
Text visible only to authenticated users.
Authenticated username:
Authenticated user roles:
由于您使用的是Spring Security附加组件,因此您可以尝试使用${#authorization.expression('hasRole(''ROLE_ADMIN'')'}而不是sec:authorization。例如
<div th:if="${#authorization.expression('hasRole(''USER'')'}">Text visible to user.</div>
<div th:if="${#authorization.expression('hasRole(''ADMIN'')'}">Text visible to admin.</div>
<div th:if="${#authorization.expression('isAuthenticated()')}">
Text visible only to authenticated users.
</div>
如果您使用权限而不是角色,下面的代码将起作用。
<div th:if="${#authorization.expression('hasAuthority(''ADMIN'')')}">ADMIN</div>
<div th:if="${#authorization.expression('hasAuthority(''USER'')')}">USER</div>
<div th:if="${#authorization.expression('isAuthenticated()')}">
Text visible only to authenticated users.
</div>
</div>
关于您的配置,在.pom中将org.thymeleaf.extras更改为thymeleaf-extras-springsecurity5,您需要将Spring Dialect@Bean添加到您的配置中。
POM
<dependencies>
...
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
...
</dependencies>
LeafConfig
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
@Configuration
public class LeafConfig {
@Bean
public SpringSecurityDialect springSecurityDialect(){
return new SpringSecurityDialect();
}
}
经过这些更改后,一切都应该按预期进行。
您应该像下面这样使用它:
<sec:authorize access="hasRole('ADMIN')">
<div>
This content will only be visible to users who have
the "ADMIN" authority in their list of GrantedAuthority's.
</div>
</sec:authorize>