I am trying to view a specific page that only the admin can view but I am getting an error every time I make the request. It appears to be with the hasRole() in my security-context file.
The error just says HTTP Status 403 - Access is denied when I make the request to see the admin jsp page
security-context.xml:
<security:http use-expressions="true">
<security:intercept-url pattern="/admin" access="hasAnyRole('admin')" />
<security:form-login login-page="/login"
authentication-failure-url="/login?error=true" />
<security:logout logout-success-url="/loogedout" />
<security:intercept-url pattern="/createoffer" access="isAuthenticated()" />
<security:intercept-url pattern="/docreate" access="isAuthenticated()" />
<security:intercept-url pattern="/offercreated" access="isAuthenticated()" />
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/loggedout" access="permitAll" />
<security:intercept-url pattern="/newaccount" access="permitAll" />
<security:intercept-url pattern="/createaccount" access="permitAll" />
<security:intercept-url pattern="/accountcreated" access="permitAll" />
<security:intercept-url pattern="/static/**" access="permitAll" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/offers" access="permitAll" />
<security:intercept-url pattern="/**" access="denyAll" />
</security:http>
My two tables in my database are a user(username, email, enabled, password) and authorities(username, authority).
Could anyone suggest what my error is or how to fix it?
by default spring added ROLE_ prefix so changing hasAnyRole('admin')
to hasAnyRole('ROLE_admin')
should fix the error, unless you have custom implementation.
Ref:
Please confirm that when you login as admin, You really have the admin role. Please see the out put of following code:
getCurrentUser().getAuthorities();
in any of the flows that is permitted to all. This will simply list all the roles your logged in user has.
public UserInfo getCurrentUser() {
UserInfo userInfo = null;
SecurityContext securityContext = SecurityContextHolder.getContext();
if (securityContext != null && null != securityContext.getAuthentication()) {
Object principal = securityContext.getAuthentication().getPrincipal();
if (UserInfo.class.isAssignableFrom(principal.getClass())) {
userInfo = (UserInfo) principal;
}
}
return userInfo;
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.