堆栈内存溢出
  简体   繁体   English

Spring Security对用户进行身份验证以输入管理员

[英]Spring security authenticate user to enter admin

 原文  2016-03-11 04:17:10       java/ spring/ spring-mvc/ spring-security

问题描述

I am using spring security to authenticate users. 我正在使用Spring Security来验证用户身份。

AdminController.java AdminController.java 

@Controller
@Secured("ROLE_ADMIN")
public class AdminController {

     @RequestMapping("/list")
    public ModelAndView listProductController(@ModelAttribute("pForm") Product product, ModelMap model)
    {

         return new ModelAndView("list", model);
    }
}

I the above code, I want only admins can visit the url http://localhost/Pgga/list , but even without login, I am able to visit this page. 在上面的代码中,我希望只有管理员才能访问URL http://localhost/Pgga/list ,但是即使没有登录,我也可以访问此页面。

spring-security.xml spring-security.xml 

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security.xsd">

    <global-method-security secured-annotations="enabled" />

    <!-- enable use-expressions -->
    <http auto-config="true" use-expressions="true">
    <intercept-url pattern="/admin*" access="ROLE_ADMIN" />

        <!-- access denied page -->
        <access-denied-handler error-page="/403" />
        <form-login 
            login-page="/login"
            login-processing-url="/login.do"
            default-target-url="/index"
            authentication-failure-url="/login?error" 
            username-parameter="emailID"
            password-parameter="password" />
        <logout 
            logout-success-url="/login?logout"
            delete-cookies="JSESSIONID"
            invalidate-session="true" />
        <csrf/>
    </http>

    <authentication-manager>
        <authentication-provider user-service-ref="userAuthenticationProvider">
            <password-encoder hash="plaintext" />
        </authentication-provider>
    </authentication-manager>

</beans:beans>

How can I allow only admins to enter admin area? 如何只允许管理员进入管理员区域?

2 个解决方案

解决方案1
 1  2016-03-11 04:38:21

使用hasRole('admin')或设置use-expressions =“ false” ....

解决方案2
 1  2016-03-11 06:41:16

Login redirecting to itself because you set: 登录名重定向到其自身,因为您设置了: 

login-page="/login"

And it keep redirect to user page because spring know the /login its the login page but don't have access to use it, so add this : 并且它保持重定向到用户页面,因为spring知道/login它的登录页面,但是无权使用它,因此添加以下内容: 

<intercept-url pattern="/login" access="permitAll()" />

to make sure the login page is permitted and can give access or assign role to the authenticated user. 以确保登录页面被允许并且可以向已认证的用户授予访问权限或为其分配角色。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Security无法验证用户 - Spring security not authenticate the user Spring 安全性 - 使用用户名验证用户 - Spring Security - Authenticate user with username 具有XML配置的Spring Security无法验证用户 - Spring Security with XML configuration does not authenticate user 如何使用Spring Security验证用户身份? - how to authenticate user using spring security? Spring Security 通过 post 对用户进行身份验证 - Spring Security authenticate user via post Spring安全性配置来认证ldap用户 - Spring security configuration to authenticate ldap user 春季安全性:用户和管理员登录失败 - Spring security: user and admin login fails 春季安全性不进行身份验证 - spring security does not authenticate SpringBoot和Spring Security无法验证 - SpringBoot and Spring Security not authenticate 如何使用Spring Security以编程方式验证`User`并使用我的`UserDetailsS​​ervie`实现? - How to programmatically authenticate `User` with spring security and use my `UserDetailsServie` implementation?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM