我对弹簧安全真的很陌生,所以请耐心等待。如果有人能指导我,我愿意接受建议,使这个问题更具体。
我的问题是,我在Spring安全中有一个拦截url配置,但它总是重定向到拒绝访问的页面,即使用户具有必要的角色。这是我的Spring安全配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.1.xsd">
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<session-management invalid-session-url="/login"
session-fixation-protection="newSession">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="true" />
</session-management>
<form-login login-page="/login" authentication-failure-url="/login?error"
username-parameter="emailId" password-parameter="pwd" />
<logout logout-success-url="/login?logout" delete-cookies="JSESSIONID" />
<csrf token-repository-ref="tokenRepository" />
</http>
<authentication-manager>
<authentication-provider ref="customAuthenticationProvider" />
</authentication-manager>
</beans:beans>
通过我的研究,我觉得上面的配置没有什么问题,但由于我使用的自定义UserDetails对象,这可能是一个问题。这是POJO:
public class CustomUser implements UserDetails {
private static final long serialVersionUID = 1L;
private String userID;
private String emailId;
private String password;
private boolean enabled = true;
private boolean accountNonExpired = true;
private boolean credentialsNonExpired = true;
private boolean accountNonLocked = true;
private List<Role> authorities;
@Override
public List<Role> getAuthorities() {
return authorities;
}
//other setters and getters
}
角色类:
public class Role implements GrantedAuthority {
private static final long serialVersionUID = 1L;
private String name;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getAuthority() {
return this.name;
}
}
我还有一个填充CustomUser POJO的自定义UserDAO类,并且我已经验证了在设置值时没有问题。
这是我的原则(写在日志中):
Principal: CustomUser [userID=user1, emailId=test@test.com, password=pwd, enabled=true, accountNonExpired=true, credentialsNonExpired=true, authorities=[Role [name=ADMIN]]];
页面总是被拒绝的原因是什么?
感谢您花时间阅读这篇文章:)
变化
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/admin/**" access="hasRole('ADMIN')" />
编辑
如果前面的方法不奏效,那么试试下面的方法。
在你的角色中,它返回"ADMIN",而你期望"ROLE_ADMIN"
"ADMIN"到"ROLE_ADMIN"