Java Spring security没有';不能匹配给定的角色
我正在开发一个简单的spring安全应用程序,它有3个用户角色(emp、admin、man)。我通过数据源读取用户数据,并且我有自己的访问被拒绝页面,用于任何用户想要访问被禁止页面的情况。以前,我在java类DemoSecurityConfig的方法Java Spring security没有';不能匹配给定的角色,java,spring,spring-boot,spring-security,Java,Spring,Spring Boot,Spring Security,我正在开发一个简单的spring安全应用程序,它有3个用户角色(emp、admin、man)。我通过数据源读取用户数据,并且我有自己的访问被拒绝页面,用于任何用户想要访问被禁止页面的情况。以前,我在java类DemoSecurityConfig的方法protectedvoid configure()中定义用户信息(用户名、密码、角色)和spring security可能会注意到每个用户可以访问的页面,但问题是,由于我正在从数据库读取信息,因此所有用户都指向拒绝访问的页面,这意味着spring s
protectedvoid configure()中定义用户信息(用户名、密码、角色)
和spring security可能会注意到每个用户可以访问的页面,但问题是,由于我正在从数据库读取信息,因此所有用户都指向拒绝访问的页面,这意味着spring security角色无法工作或无法读取给定的角色
DemoSecurityConfig类
@Configuration
@EnableWebSecurity
@ComponentScan(basePackages = "com")
public class DemoSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource securityDataSource;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//use jdbc
auth.jdbcAuthentication().dataSource(securityDataSource);
}
//configure of web patch in application login logout
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/").hasAnyRole("emp")
.antMatchers("/leaders/**").hasAnyRole("man")
.antMatchers("/systems/**").hasAnyRole("admin")
.and().formLogin().loginPage("/showMyLoginPage")
.loginProcessingUrl("/authenticateTheUser")
.permitAll().and().logout().permitAll().and().exceptionHandling().accessDeniedPage("/access-denied");
}
}
DemoAppConfig
@Configuration
@EnableWebMvc
@ComponentScan(basePackages = "com")
@PropertySource("classpath:persistence-mysql.properties")
public class DemoAppConfig {
//define a bean for view resolver
@Bean
public ViewResolver viewResolver(){
InternalResourceViewResolver viewResolver=new InternalResourceViewResolver();
viewResolver.setPrefix("/WEB-INF/view/");
viewResolver.setSuffix(".jsp");
return viewResolver;
}
//reading properties file
//set yp varible for holding a properties
@Autowired
private Environment env;
private Logger logger=Logger.getLogger(getClass().getName());
//define a bean for data source
@Bean
public DataSource securityDataSource(){
//create data connection
ComboPooledDataSource securityDataSource
=new ComboPooledDataSource();
//set up jdbc driver class
try {
securityDataSource.setDriverClass(env.getProperty("jdbc.driver"));
} catch (PropertyVetoException exc) {
throw new RuntimeException(exc);
}
//log the connection for make sure
logger.info(">> jdbc.url=" +env.getProperty("jdbc.url"));
logger.info(">> jdbc.user=" +env.getProperty("jdbc.user"));
//set up database connection properties
securityDataSource.setJdbcUrl(env.getProperty("jdbc.url"));
securityDataSource.setUser(env.getProperty("jdbc.user"));
securityDataSource.setPassword(env.getProperty("jdbc.password"));
//set yp connection props
securityDataSource.setInitialPoolSize(getIntProperty("connection.pool.initialPoolSize"));
securityDataSource.setMinPoolSize(getIntProperty("connection.pool.minPoolSize"));
securityDataSource.setMaxPoolSize(getIntProperty("connection.pool.maxPoolSize"));
securityDataSource.setMaxIdleTime(getIntProperty("connection.pool.maxIdleTime"));
return securityDataSource;
}
//need a helper class
//read env property and convert to int
private int getIntProperty(String proName){
String proVal=env.getProperty(proName);
int intPropVal=Integer.parseInt(proVal);
return intPropVal;
}
}
home.jsp
<html>
<head>
<title>Title</title>
</head>
<body>
<h1>this is a main page</h1>
<!-- add link to point to leaders -->
<security:authorize access="hasRole('admin')">
<p>
<a href="${pageContext.request.contextPath}/systems">IT meeting</a>
(only for admins)
</p>
<br/>
<p>
</security:authorize>
<security:authorize access="hasRole('man')">
<a href="${pageContext.request.contextPath}/leaders">leaders meeting</a>
(only for admins)
</p>
<br/>
</security:authorize>
<form:form action="${pageContext.request.contextPath}/logout" method="post">
<input type="submit" value="Logout">
<hr>
<-- display user -->
User: <security:authentication property="principal.username"/>
<br><br>
roles <security:authentication property="principal.authorities"/>
</hr>
</form:form>
</body>
</html>
标题
这是一个主页
(仅适用于管理员)
(仅适用于管理员)
用户:
角色
来自hasAnyRole()
:
指定URL的快捷方式需要多个角色中的任意一个。如果你
不希望自动插入“角色”,请参见
hasAnyAuthority(字符串…)
因此,hasAnyRole(“emp”)
希望用户拥有角色role\u emp
,但用户现在拥有角色emp
更新数据库中所有以ROLE\u
为前缀的用户权限,例如ROLE\u emp
和ROLE\u admin
或更改为使用hasAnyAuthority()
,这将不会添加ROLE\u
前缀:
protectedvoid配置(HttpSecurity http)引发异常{
http.authorizeRequests()
.antMatchers(“/”).hasAnyAuthority(“emp”)
.antMatchers(“/leaders/**”).hasAnyAuthority(“man”)
.antMatchers(“/systems/**”).hasAnyAuthority(“admin”)
......
}
来自hasAnyRole()
:
指定URL的快捷方式需要多个角色中的任意一个。如果你
不希望自动插入“角色”,请参见
hasAnyAuthority(字符串…)
因此,hasAnyRole(“emp”)
希望用户拥有角色role\u emp
,但用户现在拥有角色emp
更新数据库中所有以ROLE\u
为前缀的用户权限,例如ROLE\u emp
和ROLE\u admin
或更改为使用hasAnyAuthority()
,这将不会添加ROLE\u
前缀:
protectedvoid配置(HttpSecurity http)引发异常{
http.authorizeRequests()
.antMatchers(“/”).hasAnyAuthority(“emp”)
.antMatchers(“/leaders/**”).hasAnyAuthority(“man”)
.antMatchers(“/systems/**”).hasAnyAuthority(“admin”)
......
}