[英]Spring security authenticate user to enter admin
I am using spring security to authenticate users. 我正在使用Spring Security来验证用户身份。
AdminController.java AdminController.java
@Controller
@Secured("ROLE_ADMIN")
public class AdminController {
@RequestMapping("/list")
public ModelAndView listProductController(@ModelAttribute("pForm") Product product, ModelMap model)
{
return new ModelAndView("list", model);
}
}
I the above code, I want only admins can visit the url http://localhost/Pgga/list
, but even without login, I am able to visit this page. 在上面的代码中,我希望只有管理员才能访问URL
http://localhost/Pgga/list
,但是即使没有登录,我也可以访问此页面。
spring-security.xml spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<global-method-security secured-annotations="enabled" />
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/admin*" access="ROLE_ADMIN" />
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
login-processing-url="/login.do"
default-target-url="/index"
authentication-failure-url="/login?error"
username-parameter="emailID"
password-parameter="password" />
<logout
logout-success-url="/login?logout"
delete-cookies="JSESSIONID"
invalidate-session="true" />
<csrf/>
</http>
<authentication-manager>
<authentication-provider user-service-ref="userAuthenticationProvider">
<password-encoder hash="plaintext" />
</authentication-provider>
</authentication-manager>
</beans:beans>
How can I allow only admins to enter admin area? 如何只允许管理员进入管理员区域?
使用hasRole('admin')或设置use-expressions =“ false” ....
Login redirecting to itself because you set: 登录名重定向到其自身,因为您设置了:
login-page="/login"
And it keep redirect to user page because spring know the /login
its the login page but don't have access to use it, so add this : 并且它保持重定向到用户页面,因为spring知道
/login
它的登录页面,但是无权使用它,因此添加以下内容:
<intercept-url pattern="/login" access="permitAll()" />
to make sure the login page is permitted and can give access or assign role to the authenticated user. 以确保登录页面被允许并且可以向已认证的用户授予访问权限或为其分配角色。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.