HTTP状态403 - 拒绝访问Spring安全性

Question

I've added Spring security to my project and configured it as

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">

     <http>
        <intercept-url pattern="/add-job**" access="hasRole('USER')" />
        <form-login  
            login-page="/login" 
            default-target-url="/"
            always-use-default-target="true"/>
        <logout />
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
            <user name="admin" password="admin" authorities="ROLE_ADMIN" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>

through the above configuration when I go to /add-job it redirects me to \\login and after login success I go to /add-job it shows me error

is there any mistake I've.

Answer 1

Spring security is right in denying access:

• you define only one login in your authentication manager: admin/admin with one authority ROLE_ADMIN
• you restrict access to /add-job** to users having ROLE_USER authority

No user can have the ROLE_USER authority, so spring security will always deny access.

You should use either ROLE_ADMIN or ROLE_USER (or any other ROLE_xxx you like) but use the same in protecting the resource ( access="hasRole(xxx)" ) and granting to user ( authorities="ROLE_xxx" )

Anyway, the simplest way to fix is to add the required authority to user admin:

        <user name="admin" password="admin" authorities="ROLE_ADMIN,ROLE_USER" />