Java Spring Security中角色和权限的实现-更新:与hasPermission方法相关的错误
我正在开发一个用于测试Spring安全性资源的应用程序,在当前状态下,我需要一个解决方案来实现我的方法的角色和权限。我已经在使用此注释:Java Spring Security中角色和权限的实现-更新:与hasPermission方法相关的错误,java,spring,spring-mvc,spring-security,Java,Spring,Spring Mvc,Spring Security,我正在开发一个用于测试Spring安全性资源的应用程序,在当前状态下,我需要一个解决方案来实现我的方法的角色和权限。我已经在使用此注释: @Secured("ROLE_ADMIN") 定义应该能够访问每个方法的角色。在我的数据库中,我有以下结构: 这意味着对于每个角色,我都可以有一个权限列表。任何人都可以为我的每个方法定义两个限制的解决方案吗?我通过Java代码配置Spring安全性,方法如下: @Controller @RequestMapping(value="privado") pub
@Secured("ROLE_ADMIN")
定义应该能够访问每个方法的角色。在我的数据库中,我有以下结构:
这意味着对于每个角色,我都可以有一个权限列表。任何人都可以为我的每个方法定义两个限制的解决方案吗?我通过Java代码配置Spring安全性,方法如下:
@Controller
@RequestMapping(value="privado")
public class PrivadoController {
@RequestMapping(value="admin")
//@Secured("admin_main")
@PreAuthorize("hasRole('admin_main')")
public ModelAndView admin() {
ModelAndView mav = new ModelAndView();
mav.setViewName("privado/admin");
return mav;
}
@RequestMapping(value="customer")
//@Secured("customer_main")
@PreAuthorize("hasRole('customer_main')")
public ModelAndView customer() {
ModelAndView mav = new ModelAndView();
mav.setViewName("privado/customer");
return mav;
}
}
更新
根据提出的建议,我将AuthenticationService(扩展UserDetailsService)更改为:
但是现在当我尝试访问该页面时,我得到了我的“不允许”页面。现在怎么了
更新
经过一些更改,我终于找到了以下代码:
AuthenticationService.java
@Service
public class AuthenticationService implements UserDetailsService {
@Autowired
private UsuarioHome accountDao;
@Override
@Transactional(readOnly = true, propagation = Propagation.SUPPORTS)
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
Usuario account = accountDao.findByField("login", username);
if(account==null) {
System.out.println("No such user: " + username);
throw new UsernameNotFoundException("No such user: " + username);
} else if (account.getAutorizacao().isEmpty()) {
System.out.println("User " + username + " has no authorities");
throw new UsernameNotFoundException("User " + username + " has no authorities");
}
List<Permission> lista = new ArrayList<Permission>();
int max = account.getAutorizacao().size();
for(int i=0; i<max; i++) {
for(int j=0; j<max; j++) {
lista.add(account.getAutorizacao().get(i).getPermissao().get(j));
}
}
boolean accountIsEnabled = true;
boolean accountNonExpired = true;
boolean credentialsNonExpired = true;
boolean accountNonLocked = true;
return new User(account.getLogin(), account.getSenha(), accountIsEnabled, accountNonExpired, credentialsNonExpired, accountNonLocked, getAuthorities(lista));
}
public List<String> getRolesAsList(List<Permission> list) {
List <String> rolesAsList = new ArrayList<String>();
for(Permission role : list){
rolesAsList.add(role.getNome());
}
return rolesAsList;
}
public static List<GrantedAuthority> getGrantedAuthorities(List<String> roles) {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
for (String role : roles) {
authorities.add(new SimpleGrantedAuthority(role));
}
return authorities;
}
public Collection<? extends GrantedAuthority> getAuthorities(List<Permission> list) {
List<GrantedAuthority> authList = getGrantedAuthorities(getRolesAsList(list));
return authList;
}
}
但我没有接触到任何用户,尽管通知了正确的credencials。在目前的情况下有什么问题
更新2
好的,访问被拒绝的问题可能是因为我的CustomAuthenticationSuccessHandler中的代码出错,现在是这样的:
public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication auth) throws IOException, ServletException {
HttpSession session = request.getSession();
SavedRequest savedReq = (SavedRequest) session.getAttribute(WebAttributes.ACCESS_DENIED_403);
boolean isAdmin = false;
boolean isUser = false;
if (savedReq == null) {
Collection<? extends GrantedAuthority> authorities = auth.getAuthorities();
for (GrantedAuthority grantedAuthority : authorities) {
if(grantedAuthority.getAuthority().equals("admin_main"))
isAdmin = true;
else if(grantedAuthority.getAuthority().equals("customer_main"))
isUser = true;
}
if(isAdmin)
response.sendRedirect(request.getContextPath() + "/privado/admin");
else if(isUser)
response.sendRedirect(request.getContextPath() + "/privado/customer");
else
response.sendRedirect(request.getContextPath() + "/erro/no_permit");
}
else {
response.sendRedirect(savedReq.getRedirectUrl());
}
}
}
公共类CustomAuthenticationSuccessHandler实现AuthenticationSuccessHandler{
@凌驾
AuthenticationSuccess(HttpServletRequest请求、HttpServletResponse响应、身份验证验证)上的公共void引发IOException、ServletException{
HttpSession session=request.getSession();
SavedRequest savedReq=(SavedRequest)session.getAttribute(WebAttributes.ACCESS\u DENIED\u 403);
布尔值isAdmin=false;
布尔值isUser=false;
if(savedReq==null){
收集这可能有助于链接描述的内容基本上是我现在实现的,但我如何使用它?意思是:对于每个方法,我如何定义用户应该访问它们的角色和权限?这是我现在的主要问题。正如我所说,我现在使用@Secured(“role_ADMIN”)。我如何修改我的代码以包含权限?事实上,以角色
开头的东西并没有使它成为一个角色,它实际上是一个权限。你的角色
不过是一个权限容器,所以不要指定@Secured(“ROLE\u ADMIN”)
而是像@Secured(“你的权限”)这样做
,然后以这样一种方式配置Spring安全性:忽略您的角色,只考虑您的权限。(或者更简单,在用户的getAuthorities
方法中解决这个问题(假设它实现了UserDetails
)。好的,我刚刚在代码中做了一些更改(请参阅更新).但是现在我被拒绝访问该页面。你能告诉我我现在做错了什么吗?
@Controller
@RequestMapping(value="privado")
public class PrivadoController {
@RequestMapping(value="admin")
//@Secured("admin_main")
@PreAuthorize("hasRole('admin_main')")
public ModelAndView admin() {
ModelAndView mav = new ModelAndView();
mav.setViewName("privado/admin");
return mav;
}
@RequestMapping(value="customer")
//@Secured("customer_main")
@PreAuthorize("hasRole('customer_main')")
public ModelAndView customer() {
ModelAndView mav = new ModelAndView();
mav.setViewName("privado/customer");
return mav;
}
}
public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication auth) throws IOException, ServletException {
HttpSession session = request.getSession();
SavedRequest savedReq = (SavedRequest) session.getAttribute(WebAttributes.ACCESS_DENIED_403);
boolean isAdmin = false;
boolean isUser = false;
if (savedReq == null) {
Collection<? extends GrantedAuthority> authorities = auth.getAuthorities();
for (GrantedAuthority grantedAuthority : authorities) {
if(grantedAuthority.getAuthority().equals("admin_main"))
isAdmin = true;
else if(grantedAuthority.getAuthority().equals("customer_main"))
isUser = true;
}
if(isAdmin)
response.sendRedirect(request.getContextPath() + "/privado/admin");
else if(isUser)
response.sendRedirect(request.getContextPath() + "/privado/customer");
else
response.sendRedirect(request.getContextPath() + "/erro/no_permit");
}
else {
response.sendRedirect(savedReq.getRedirectUrl());
}
}
}