使用用户角色和 Spring Security 保护 URL
[英]Securing URL using User Roles and Spring Security
问题描述
I have multiple User Roles in my Java application.
我的 Java 应用程序中有多个用户角色。 Here is my code:这是我的代码:
private String userAccess[] = new String[]{"/dashboard/**"};
private String dataAccess[] = new String[]{"/dashboard/**", "/data/**"};
private String adminAccess[] = new String[]{"/dashboard/**", "/data/**", "/admin/**"};
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers(publicResources).permitAll()
.antMatchers(userAccess).hasRole("USER").anyRequest().authenticated()
.antMatchers(dataAccess).hasRole("DATA").anyRequest().authenticated()
.antMatchers(adminAccess).hasRole("ADMIN").anyRequest().authenticated()
Error:错误:
2019-12-18T12:00:34.059+0000 DEBUG Secure object: FilterInvocation: URL: /dashboard;
Sorry, cannot seem to get the Exception showing in the "code" tag here :(抱歉,似乎无法在此处显示“代码”标签中的异常:(
The problem now is when I logon with ADMIN all works 100%.现在的问题是,当我使用 ADMIN 登录时,所有工作 100%。 But when I logon with USER or DATA, then I get an exception saying that I tried to access and unauthorised page.但是当我使用 USER 或 DATA 登录时,我收到一个异常,说我试图访问和未经授权的页面。
So what is happening is that it loads the URL access for user DATA, but when the last line executes, it changes the /dashboard URL to have ADMIN access.所以发生的事情是它加载了用户 DATA 的 URL 访问权限,但是当最后一行执行时,它更改 /dashboard URL 以具有 ADMIN 访问权限。 My Role is still DATA role and thus don't have access to the /dashboard URL.我的角色仍然是 DATA 角色,因此无权访问 /dashboard URL。
So it seems like the last line is overwriting the others.所以看起来最后一行正在覆盖其他行。 Looking at the URL privileges again, if I remove "/dashboard", then I will get the same issue when it comes to the "/data" URL.再次查看 URL 权限,如果我删除“/dashboard”,那么当涉及到“/data”URL 时,我会遇到同样的问题。
Is there a better way of doing this or maybe a way for me to resolve this?有没有更好的方法来做到这一点,或者我有办法解决这个问题?
Thanks谢谢
3 个解决方案
解决方案1
1 已采纳 2019-12-18 12:55:56
What if not repeat an endpoint for role如果不重复角色的端点怎么办
private String userAccess[] = new String[]{"/dashboard/**"};
private String dataAccess[] = new String[]{"/data/**"};
private String adminAccess[] = new String[]{"/admin/**"};
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers(publicResources).permitAll()
.antMatchers(userAccess).hasAnyRole("USER", "DATA", "ADMIN").anyRequest().authenticated()
.antMatchers(dataAccess).hasAnyRole("DATA", "ADMIN").anyRequest().authenticated()
.antMatchers(adminAccess).hasRole("ADMIN").anyRequest().authenticated();
}
解决方案2
0 2019-12-18 12:47:49
The order of antMatchers is important. antMatchers 的顺序很重要。
More specific ones should go first.更具体的应该先行。 Least specific one should be last.最不具体的应该放在最后。
Reorder the antMatchers to be as follows:将 antMatchers 重新排序如下:
.antMatchers(userAccess).hasRole("USER").anyRequest().authenticated()
.antMatchers(dataAccess).hasRole("DATA").anyRequest().authenticated()
.antMatchers(adminAccess).hasRole("ADMIN").anyRequest().authenticated()
.antMatchers(publicResources).permitAll()
I am assuming user is more specific than data.我假设用户比数据更具体。
解决方案3
-1 2019-12-18 12:50:22
Strange authorization ... You need to change the logic.奇怪的授权......你需要改变逻辑。 In your config is written: publicResources permitAll AND matcher userAccess has role USER AND any requests authenticated AND matcher dataAccess has role DATA AND any requests authenticated AND ... (multiple definitions of anyRequest)在您的配置中写着: publicResources permitAll AND matcher userAccess具有角色 USER AND 任何请求已通过身份验证 AND matcher dataAccess具有角色 DATA AND 任何请求已通过身份验证 AND ...(anyRequest 的多个定义)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.