stackoom
  简体   繁体   中英

Spring security hasRole() giving Error 403 - Access is denied

 原文  2016-01-21 16:12:59       java/ spring/ jsp/ spring-mvc/ spring-security

Question

I am trying to view a specific page that only the admin can view but I am getting an error every time I make the request. It appears to be with the hasRole() in my security-context file.

The error just says HTTP Status 403 - Access is denied when I make the request to see the admin jsp page

security-context.xml: 

<security:http use-expressions="true">
    <security:intercept-url pattern="/admin" access="hasAnyRole('admin')" />
    <security:form-login login-page="/login"
        authentication-failure-url="/login?error=true" />
    <security:logout logout-success-url="/loogedout" />
    <security:intercept-url pattern="/createoffer" access="isAuthenticated()" />
    <security:intercept-url pattern="/docreate" access="isAuthenticated()" />
    <security:intercept-url pattern="/offercreated" access="isAuthenticated()" />
    <security:intercept-url pattern="/" access="permitAll" />
    <security:intercept-url pattern="/loggedout" access="permitAll" />
    <security:intercept-url pattern="/newaccount" access="permitAll" />
    <security:intercept-url pattern="/createaccount" access="permitAll" />
    <security:intercept-url pattern="/accountcreated" access="permitAll" />
    <security:intercept-url pattern="/static/**" access="permitAll" />
    <security:intercept-url pattern="/login" access="permitAll" />
    <security:intercept-url pattern="/offers" access="permitAll" />
    <security:intercept-url pattern="/**" access="denyAll" />
</security:http>

My two tables in my database are a user(username, email, enabled, password) and authorities(username, authority).

Could anyone suggest what my error is or how to fix it?

2 answers

solution1
 5  2016-01-22 06:29:24

by default spring added ROLE_ prefix so changing hasAnyRole('admin') to hasAnyRole('ROLE_admin') should fix the error, unless you have custom implementation.

Ref:

http://docs.spring.io/spring-security/site/docs/current-SNAPSHOT/apidocs/org/springframework/security/access/vote/RoleVoter.html

https://docs.spring.io/spring-security/site/docs/3.2.3.RELEASE/apidocs/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.html#setRolePrefix(java.lang.String)

solution2
 0  2016-01-22 09:36:57

Please confirm that when you login as admin, You really have the admin role. Please see the out put of following code:
getCurrentUser().getAuthorities(); in any of the flows that is permitted to all. This will simply list all the roles your logged in user has. 

public UserInfo getCurrentUser() {
        UserInfo userInfo = null;
        SecurityContext securityContext = SecurityContextHolder.getContext();
        if (securityContext != null && null != securityContext.getAuthentication()) {
            Object principal = securityContext.getAuthentication().getPrincipal();
            if (UserInfo.class.isAssignableFrom(principal.getClass())) {
                userInfo = (UserInfo) principal;
            }
        }
        return userInfo;
    }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question hasRole() not working error Http Status 403 - Access is denied Error 403 - Access denied using Spring security - ManyToMany annotation issue? Spring Security Access denied 403 after post Spring Security Access denied 403 after get HTTP Status 403 - Access is denied Spring security spring security HTTP Status 403 - Access Denied 403 access denied Spring Security everytime Access denied for <sec:authorize access="hasRole('ROLE_MANAGER)"> in Spring Security How to customize the 403 Forbidden/Access Denied Page using Spring Security Spring Security hasRole() not working
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM