[英]Why does isAuthenticated() works, but not access=“hasRole('VERIFIED')” doesn't work in Spring Security project?
我正在使用Spring Security和Spring MVC 4.0.1进行Spring项目。 该代码(拦截URL / loginSuccess)对于access =“ isAuthenticated()”正常工作,但对于access =“ hasRole('VERIFIED')”无效
spring-security.xml
<security:http auto-config='true' use-expressions='true'>
<security:form-login login-page="/login" default-target-url="/loginSuccess"
authentication-failure-url="/checkVerification"
username-parameter="mobile_Number"
password-parameter="password"
always-use-default-target="true"/>
<security:intercept-url pattern="/loginCheck" access="hasRole('VERIFIED')"/>
<security:intercept-url pattern="/loginSuccess" access="isAuthenticated()"/>
<security:intercept-url pattern="/home" access="permitAll" />
<security:intercept-url pattern="/RankOption/**" access="hasRole('VERIFIED')"/>
<security:logout logout-url="/logout"/>
</security:http>
<security:authentication-manager erase-credentials="false" alias="authenticationManager">
<security:authentication-provider ref="myAuthenticationProvider">
</security:authentication-provider>
</security:authentication-manager>
<b:bean id="bcryptEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<b:bean id="myAuthenticationProvider" class="com.cT.www.provider.CustomAuthenticationProvider">
</b:bean>
SomeController.java
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
public CustomAuthenticationProvider() {
super();
}
@Autowired
private PersonService personService;
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
System.out.println(authentication.getName() + "principal" +(String) authentication.getCredentials()+
authentication.getAuthorities().size() + " " + authentication.getPrincipal().toString());
BCryptPasswordEncoder bcryptPasswordEncoder = new BCryptPasswordEncoder();
String username = authentication.getName();
String password = authentication.getCredentials().toString();
UserSignUp user = (UserSignUp) personService.loadUserByUsername(username);
if (user == null || !user.getUsername().equalsIgnoreCase(username)) {
throw new BadCredentialsException("Username not found.");
}
if(password != null || !password.isEmpty()){
if (BCrypt.checkpw(bcryptPasswordEncoder.encode(password), user.getPassword())) {
throw new BadCredentialsException("Wrong password.");
}
}
List<Role> authorities = user.getAuthorities();
return new UsernamePasswordAuthenticationToken(user, password, authorities);
}
@Override
public boolean supports(Class<?> arg0) {
// TODO Auto-generated method stub
return true;
}
}
ServiceImpl.java
@Override
@Transactional
public UserSignUp loadUserByUsername(String mobile_Number)
throws UsernameNotFoundException {
this.getMobile_Number_N_Password(Long.parseLong(mobile_Number));
logger.trace("Trying to find User with mobile Number" + mobile_Number);
List result = personDAO.getMobile_Number_N_Password(mobile_Number);
String existing_Password = null;
Boolean verification_Boolean = false;
if(result != null){
if(result.get(0) != null){
for(Iterator itr = result.iterator(); itr.hasNext();){
Object[] myResult = (Object[]) itr.next();
existing_Password = (String) myResult[0];
verification_Boolean = (Boolean) myResult[1];
}
}
}
if(result == null){
throw new UsernameNotFoundException("No user found with mobile number" + mobile_Number);
}
UserSignUp retrievedUserDetails = new UserSignUp();
retrievedUserDetails.setMobile_Number(mobile_Number);
retrievedUserDetails.setPassword(existing_Password);
Role r = new Role();
r.setName("VERIFIED");
List<Role> roles = new ArrayList<Role>();
roles.add(r);
retrievedUserDetails.setAuthorities(roles);
return retrievedUserDetails;
}
模型角色.java
import org.springframework.security.core.GrantedAuthority;
public class Role implements GrantedAuthority {
private String name;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
@Override
public String getAuthority() {
// TODO Auto-generated method stub
return null;
}
}
UserSignUp.java
@Column
@ElementCollection
private List<Role> authorities;
public List<Role> getAuthorities() {
return authorities;
}
public void setAuthorities(List<Role> authorities) {
this.authorities = authorities;
}
我尚未在db中设置列授权。 是否会引起问题。 但是,当我调试代码时,我看到Authority变量正在填充。
您将“ UserSignUp”引用用作“新UsernamePasswordAuthenticationToken(用户,密码,授权机构);”的输入。 但它应该是“主体”的参考。 许多身份验证提供程序将创建UserDetails对象作为主体。 参考API
如果您使用“ org.springframework.security.core.userdetails.UserDetails”而不是“ UserSignUp”,则它应该可以工作。
这是使用spring的'UserDetails'类的示例代码。
......
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
SimpleGrantedAuthority authority = new SimpleGrantedAuthority("VERIFIED");
authorities.add(authority);
UserDetails user = new User(mobile_Number, existing_Password, authorities);
return user;
.......
UserDetails user =(UserSignUp)personService.loadUserByUsername(username);
return new UsernamePasswordAuthenticationToken(user, yourpassword, authorities);
带有 PreAuthorize 的 Spring Security hasRole 如何在后台工作?
[英]How does Spring Security hasRole with PreAuthorize works under the hood?
在 Spring Security 中,为什么 SecurityExpressionRoot#isAuthenticated 只检查 !isAnonymous?
[英]In Spring Security, why does SecurityExpressionRoot#isAuthenticated only check !isAnonymous?
为什么Spring Security在此Spring Boot REST API项目上不起作用? 它总是给我“ 403 Forbidden”错误
[英]Why Spring Security doesn't works on this Spring Boot REST API project? It always give me “403 Forbidden” error
Thymeleaf + Spring,isAuthenticated()/ hasRole()无法正常工作
[英]Thymeleaf+Spring, isAuthenticated()/hasRole() not working
Spring Security不能与“hasRole('ROLE_ADMIN')”或ROLE_ADMIN一起使用
[英]Spring Security does not work with “hasRole('ROLE_ADMIN')” or ROLE_ADMIN
Spring Security hasRole()提供错误403-访问被拒绝
[英]Spring security hasRole() giving Error 403 - Access is denied
Spring Security fullAuthenticated()和hasRole(“ADMIN”)
[英]Spring Security fullyAuthenticated() and hasRole(“ADMIN”)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.