成功登录后,spring security始终拒绝访问页面
我正在为我的crud应用程序使用spring security。即使在成功登录之后,spring也会重定向到拒绝访问页面 这是我的配置文件成功登录后,spring security始终拒绝访问页面,spring,security,Spring,Security,我正在为我的crud应用程序使用spring security。即使在成功登录之后,spring也会重定向到拒绝访问页面 这是我的配置文件 <security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled"/> <security:http auto-config="true" use-expressions="true"> <security
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled"/>
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/" access="permitAll"/>
<security:intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')"/>
<security:form-login default-target-url="/employees"
authentication-failure-url="/" always-use-default-target="true"
authentication-success-handler-ref="UrlAuthenticationSuccessHandler"/>
</security:http>
<beans:bean id="UrlAuthenticationSuccessHandler"
class="com.sowmith.security.UrlAuthenticationSuccessHandler" />
<security:authentication-manager erase-credentials="false">
<security:authentication-provider>
<security:user-service>
<security:user name="sowmith" password="reddy" authorities="hasRole('ROLE_ADMIN')"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
AuthenticationsuccessHandler类
protected void handle(HttpServletRequest request,HttpServletResponse response,
Authentication authentication) throws IOException{
String targetUrl = determineTargetUrl(authentication);
if(response.isCommitted()){
log.debug("Response has already been committed. Unable to redirect to " + targetUrl);
return;
}
redirectStrategy.sendRedirect(request, response, targetUrl);
}
protected String determineTargetUrl(Authentication authentication){
boolean permitAll = false;
boolean isAdmin = false;
Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
for(GrantedAuthority grantedAuthority : authorities){
if (grantedAuthority.getAuthority().equals("permitAll")) {
permitAll = true;
} else if (grantedAuthority.getAuthority().equals("hasRole('ROLE_ADMIN')")) {
isAdmin = true;
}
}
if (permitAll){
return "/";
} else if (isAdmin) {
return "/employees";
} else {
throw new IllegalStateException();
}
受保护的无效句柄(HttpServletRequest请求、HttpServletResponse响应、,
身份验证)引发IOException{
字符串targetUrl=DeterminiteTargetUrl(身份验证);
if(response.isCommitted()){
log.debug(“响应已经提交,无法重定向到”+targetUrl);
返回;
}
redirectStrategy.sendRedirect(请求、响应、目标URL);
}
受保护的字符串determinateTargetURL(身份验证){
布尔值=false;
布尔值isAdmin=false;
集合在spring安全xml文件的authentication manager标记中指定一个admin,如下所示
<security:user name="sowmith" password="reddy" authorities="ROLE_ADMIN"/>
共享您的UrlAuthenticationSuccessHandler classIn基于xml的配置,我怀疑hasRole表达式是否适用于指定用户的权限,就像它可以用来确定对给定url模式的访问权限一样。不过,我需要更正。这就是我建议您在其他配置中排除它的原因,以免使事情复杂化。
<security:user name="sowmith" password="reddy" authorities="ROLE_ADMIN"/>
else if (grantedAuthority.getAuthority().equals("ROLE_ADMIN"))