Spring安全角色不起作用
我已在我的应用程序中配置了spring security,身份验证工作正常,但授权不起作用。这意味着Spring安全角色不起作用,spring,spring-mvc,spring-security,Spring,Spring Mvc,Spring Security,我已在我的应用程序中配置了spring security,身份验证工作正常,但授权不起作用。这意味着@secured()注释不起作用。我在访问url时出错“出现意外错误(type=probled,status=403)。 访问被拒绝” 我的spring配置是 @Autowired private MongoDBAuthenticationProvider authenticationProvider; @Override public void configure(We
@secured()
注释不起作用。我在访问url时出错“出现意外错误(type=probled,status=403)
。
访问被拒绝”
我的spring配置是
@Autowired
private MongoDBAuthenticationProvider authenticationProvider;
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/js/**", "/css/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin().defaultSuccessUrl("/resource")
.and().logout().and().authorizeRequests()
.antMatchers("/logout").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.anyRequest()
.authenticated()
.and().csrf().disable();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
我的控制器是
@RestController
@RequestMapping("/user")
public class UserController {
@Autowired
UserService userService;
@Secured(value={"ROLE_ADMIN"})
@RequestMapping(value = "/{id}", method = RequestMethod.GET)
public void getUser() {
System.out.println("working");
}
}
数据库用户是
{ "_id" : ObjectId("555982a5360403572551660c"), "username" : "user", "password" : "pass", "role" : "ADMIN" }
我的mongodb身份验证提供程序
@Service
public class MongoDBAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider{
@Autowired
MongoUserDetailsService mongoUserDetailsService;
@Autowired MongoTemplate mongoTemplate;
@Override
protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
}
@Override
protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
UserDetails loadedUser;
try {
loadedUser = mongoUserDetailsService.loadUserByUsername(username);
} catch (Exception repositoryProblem) {
throw new InternalAuthenticationServiceException(repositoryProblem.getMessage(), repositoryProblem);
}
if (loadedUser == null) {
throw new InternalAuthenticationServiceException(
"UserDetailsService returned null, which is an interface contract violation");
}
return loadedUser;
}
}
用户域
public class User {
@Id
private String id;
@NotNull
private String name;
private int age;
private String username;
private String password;
private String role;
public User() {
super();
}
public User(String name,String username,
String password, String role) {
super();
this.name = name;
this.username = username;
this.password = password;
this.role = role;
}
public String getId() {
return id;
}
public void setId(String id) {
this.id = id;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public int getAge() {
return age;
}
public void setAge(int age) {
this.age = age;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getRole() {
return role;
}
public void setRole(String role) {
this.role = role;
}
}
在Spring安全配置文件中添加这个bean
@Bean
public RoleVoter roleVoter() {
RoleVoter roleVoter = new RoleVoter();
roleVoter.setRolePrefix("");
return roleVoter;
}
然后像这样写安全注释
@Secured(value={"ADMIN"})
而不是
@Secured(value={"ROLE_ADMIN"})
你也可以试试
@PreAuthorize("hasRole('ADMIN')")
如果@Secured annotation仍然不起作用您有一个角色ADMIN,而不是角色\ ADMIN。修复
@Secured
表达式或更改数据库中的用户。还有hasRole
前缀为ROLE\uu
。你的意思是我应该写@Secured(value={“ADMIN”})?请发布完整的堆栈跟踪。我将此跟踪添加到spring配置文件中,比如roleVoter.setRolePrefix(“ROLE”)。但它不工作,因为deafult前缀是“ROLE_u”,所以您必须在数据库中更改前缀,或者将前缀设置为“嘿,我想我做错了什么,请告诉我如何进行完整描述?”PrabjotSingh请共享您的mongoDb身份验证提供程序以及用户类(如果有的话)
@PreAuthorize("hasRole('ADMIN')")