成功登录后，spring security始终拒绝访问页面_Spring_Security

成功登录后，spring security始终拒绝访问页面

spring security

成功登录后，spring security始终拒绝访问页面,spring,security,Spring,Security,我正在为我的crud应用程序使用spring security。即使在成功登录之后，spring也会重定向到拒绝访问页面这是我的配置文件 <security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled"/> <security:http auto-config="true" use-expressions="true"> <security

我正在为我的crud应用程序使用spring security。即使在成功登录之后，spring也会重定向到拒绝访问页面

这是我的配置文件

<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled"/>
<security:http auto-config="true" use-expressions="true">
  <security:intercept-url pattern="/" access="permitAll"/>
  <security:intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')"/>

  <security:form-login  default-target-url="/employees" 
                        authentication-failure-url="/" always-use-default-target="true" 
                        authentication-success-handler-ref="UrlAuthenticationSuccessHandler"/>
</security:http>

<beans:bean id="UrlAuthenticationSuccessHandler" 
            class="com.sowmith.security.UrlAuthenticationSuccessHandler" /> 

<security:authentication-manager erase-credentials="false">
  <security:authentication-provider>
    <security:user-service>
      <security:user name="sowmith" password="reddy" authorities="hasRole('ROLE_ADMIN')"/>
    </security:user-service>
  </security:authentication-provider>
</security:authentication-manager>

AuthenticationsuccessHandler类

protected void handle(HttpServletRequest request,HttpServletResponse response, 
                      Authentication authentication) throws IOException{

    String targetUrl = determineTargetUrl(authentication);
    if(response.isCommitted()){
        log.debug("Response has already been committed. Unable to redirect to " + targetUrl);
        return;
    }
    redirectStrategy.sendRedirect(request, response, targetUrl);
}


protected String determineTargetUrl(Authentication authentication){

    boolean permitAll = false;
    boolean isAdmin = false;
    Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
    for(GrantedAuthority grantedAuthority : authorities){
        if (grantedAuthority.getAuthority().equals("permitAll")) {
            permitAll = true;
        } else if (grantedAuthority.getAuthority().equals("hasRole('ROLE_ADMIN')")) {
            isAdmin = true;
        }
    }
    if (permitAll){
        return "/";
    } else if (isAdmin) {
        return "/employees";
    } else {
        throw new IllegalStateException();
    }

受保护的无效句柄（HttpServletRequest请求、HttpServletResponse响应、，
身份验证）引发IOException{
字符串targetUrl=DeterminiteTargetUrl（身份验证）；
if（response.isCommitted（））{
log.debug（“响应已经提交，无法重定向到”+targetUrl）；
返回；
}
redirectStrategy.sendRedirect（请求、响应、目标URL）；
}
受保护的字符串determinateTargetURL（身份验证）{
布尔值=false；
布尔值isAdmin=false；
集合在spring安全xml文件的authentication manager标记中指定一个admin，如下所示
<security:user name="sowmith" password="reddy" authorities="ROLE_ADMIN"/>

共享您的UrlAuthenticationSuccessHandler classIn基于xml的配置，我怀疑hasRole表达式是否适用于指定用户的权限，就像它可以用来确定对给定url模式的访问权限一样。不过，我需要更正。这就是我建议您在其他配置中排除它的原因，以免使事情复杂化。
<security:user name="sowmith" password="reddy" authorities="ROLE_ADMIN"/>

else if (grantedAuthority.getAuthority().equals("ROLE_ADMIN"))