Spring Security hasRole()提供错误403-访问被拒绝
[英]Spring security hasRole() giving Error 403 - Access is denied
问题描述
I am trying to view a specific page that only the admin can view but I am getting an error every time I make the request. 
我正在尝试查看仅管理员可以查看的特定页面,但是每次发出请求时都会出现错误。 It appears to be with the hasRole() in my security-context file. 它似乎与我的安全上下文文件中的hasRole()一起使用。
The error just says HTTP Status 403 - Access is denied when I make the request to see the admin jsp page 该错误仅显示HTTP状态403-当我发出查看admin jsp页面的请求时,访问被拒绝
security-context.xml: 安全的context.xml:
<security:http use-expressions="true">
<security:intercept-url pattern="/admin" access="hasAnyRole('admin')" />
<security:form-login login-page="/login"
authentication-failure-url="/login?error=true" />
<security:logout logout-success-url="/loogedout" />
<security:intercept-url pattern="/createoffer" access="isAuthenticated()" />
<security:intercept-url pattern="/docreate" access="isAuthenticated()" />
<security:intercept-url pattern="/offercreated" access="isAuthenticated()" />
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/loggedout" access="permitAll" />
<security:intercept-url pattern="/newaccount" access="permitAll" />
<security:intercept-url pattern="/createaccount" access="permitAll" />
<security:intercept-url pattern="/accountcreated" access="permitAll" />
<security:intercept-url pattern="/static/**" access="permitAll" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/offers" access="permitAll" />
<security:intercept-url pattern="/**" access="denyAll" />
</security:http>
My two tables in my database are a user(username, email, enabled, password) and authorities(username, authority). 我数据库中的两个表是用户(用户名,电子邮件,已启用,密码)和权限(用户名,权限)。
Could anyone suggest what my error is or how to fix it? 谁能建议我是什么错误或如何解决?
2 个解决方案
解决方案1
5 2016-01-22 06:29:24
by default spring added ROLE_ prefix so changing hasAnyRole('admin') to hasAnyRole('ROLE_admin') should fix the error, unless you have custom implementation. 默认情况下,spring会添加ROLE_前缀,因此,除非您具有自定义实现,否则将hasAnyRole('admin')更改为hasAnyRole('ROLE_admin')应该可以修复该错误。
Ref: 参考:
http://docs.spring.io/spring-security/site/docs/current-SNAPSHOT/apidocs/org/springframework/security/access/vote/RoleVoter.html http://docs.spring.io/spring-security/site/docs/current-SNAPSHOT/apidocs/org/springframework/security/access/vote/RoleVoter.html
https://docs.spring.io/spring-security/site/docs/3.2.3.RELEASE/apidocs/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.html#setRolePrefix(java.lang.String) https://docs.spring.io/spring-security/site/docs/3.2.3.RELEASE/apidocs/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.html#setRolePrefix(java.lang.String)
解决方案2
0 2016-01-22 09:36:57
Please confirm that when you login as admin, You really have the admin role. 请确认以管理员身份登录时,您确实具有管理员角色。 Please see the out put of following code: 请查看以下代码的输出:
getCurrentUser().getAuthorities(); in any of the flows that is permitted to all. 在允许所有人的任何流量中。 This will simply list all the roles your logged in user has. 这将仅列出您登录的用户具有的所有角色。
public UserInfo getCurrentUser() {
UserInfo userInfo = null;
SecurityContext securityContext = SecurityContextHolder.getContext();
if (securityContext != null && null != securityContext.getAuthentication()) {
Object principal = securityContext.getAuthentication().getPrincipal();
if (UserInfo.class.isAssignableFrom(principal.getClass())) {
userInfo = (UserInfo) principal;
}
}
return userInfo;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.