Spring Security不能与“hasRole('ROLE_ADMIN')”或ROLE_ADMIN一起使用
[英]Spring Security does not work with “hasRole('ROLE_ADMIN')” or ROLE_ADMIN
问题描述
I am using Spring Security version 4.1. 
我使用的是Spring Security 4.1版。 If I specify access="hasRole('ROLE_ADMIN')" or access="ROLE_ADMIN" in the security configuration, I am able to login, but I am unable to access my admin page. 如果我在安全配置中指定access="hasRole('ROLE_ADMIN')"或access="ROLE_ADMIN" ,我可以登录,但是我无法访问我的管理页面。
<security:http use-expressions="true">
<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<!-- security:intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" / -->
<security:intercept-url pattern="/createmanufsensors" access="isAuthenticated()" />
</security:http>
<security:global-method-security secured-annotations="enabled"></security:global-method-security>
Below is the debug error: 以下是调试错误:
DEBUG [http-bio-8080-exec-10] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Secure object: FilterInvocation: URL: /admin; Attributes: [hasRole('ROLE_ADMIN')]
2016-06-25 10:07:53,667 [] DEBUG [http-bio-8080-exec-10] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@cc305a73: Principal: org.springframework.security.core.userdetails.User@74b46745: Username: francatore ; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 7F702A6911A71EA5556C750B6D424FF5; Granted Authorities: ROLE_ADMIN
2016-06-25 10:07:53,667 [] DEBUG [http-bio-8080-exec-10] [org.springframework.security.access.vote.AffirmativeBased] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@170ea084, returned: -1
2016-06-25 10:07:53,668 [] DEBUG [http-bio-8080-exec-10] [org.springframework.security.web.access.ExceptionTranslationFilter] Access is denied (user is not anonymous); delegating to AccessDeniedHandler
What could I possibly be missing? 我可能会错过什么?
1 个解决方案
解决方案1
7 已采纳 2016-06-27 14:18:03
I have a small explanation for this. 我对此有一个小解释。 Here you are authenticated as a normal user but not authorized to view the admin page. 您在这里以普通用户身份进行身份验证,但无权查看管理页面。
If you are using access="hasRole('ROLE_ADMIN')" expression, then the Spring EL class (ie SecurityExpressionRoot ) will add the prefix ROLE_ to every role that we have provide in hasRole() expression. 如果你使用access="hasRole('ROLE_ADMIN')"表达式,那么Spring EL类(即SecurityExpressionRoot )会将前缀ROLE_添加到我们在hasRole()表达式中提供的每个角色。 So in your case the role you have provided in hasRole('ROLE_ADMIN') resolves to ROLE_ROLE_ADMIN . 因此,在您的情况下,您在hasRole('ROLE_ADMIN')提供的角色将解析为ROLE_ROLE_ADMIN 。
Thats why you are authenticated as a user who has ROLE_ADMIN . 这就是为什么你被认证为拥有ROLE_ADMIN的用户。 But to the Spring Security framework to view the admin page the user must have the role of ROLE_ROLE_ADMIN (because the SecurityExpressionRoot class added ROLE_ prefix). 但是要向Spring Security框架查看管理页面,用户必须具有ROLE_ROLE_ADMIN的角色(因为SecurityExpressionRoot类添加了ROLE_前缀)。
So for this remove that ROLE_ prefix in your code, ie here access="hasRole('ADMIN')" So, Spring Security will add that ROLE_ prefix automatically. 因此,为此删除代码中的ROLE_前缀,即此处为access="hasRole('ADMIN')"因此,Spring Security将自动添加该ROLE_前缀。 And make sure that you have specified your admin role in database as ROLE_ADMIN . 并确保您已将数据库中的管理员角色指定为ROLE_ADMIN 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.