[英]Spring security works with access=“ROLE_USER” but not with EL
我正在學習使用Spring Security,並將其集成到Web應用程序中。 我正在使用Spring和Spring Security版本3.1.2。
如果我在安全配置中指定了access="ROLE_USER"
,則身份驗證可以正常工作,也就是說,我首先收到401,並且在登錄后可以訪問資源。
<http>
<http-basic />
<logout />
<intercept-url
pattern="/exports/**"
access="ROLE_USER" />
</http>
但是,如果我切換到EL,我的支票將不再起作用:
<http use-expressions="true">
<http-basic />
<logout />
<intercept-url
pattern="/exports/**"
access="hasRole('USER')" />
</http>
我以為這兩個配置是等效的,但是第二個配置未授權查看資源(403錯誤)。
查看日志:
DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@844f42c6: Principal: org.springframework.security.core.userdetails.User@c052d588: Username: test; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_USER
DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@1a15597, returned: -1
DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
如果我理解正確,盡管身份驗證有效,但WebExpressionVoter仍在投票反對我。
我想念什么?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.