在WebSecurityConfigureAdapter的配置方法中重定向时禁止Spring security获取异常
我正在使用基于角色的登录进行Spring安全性工作。虽然我一切都很好,但问题来了,如果成功登录后,我想重定向到管理页面,它给我禁止的错误。还是不知道哪里出了问题 片段如下所示:在WebSecurityConfigureAdapter的配置方法中重定向时禁止Spring security获取异常,spring,spring-mvc,spring-boot,spring-security,Spring,Spring Mvc,Spring Boot,Spring Security,我正在使用基于角色的登录进行Spring安全性工作。虽然我一切都很好,但问题来了,如果成功登录后,我想重定向到管理页面,它给我禁止的错误。还是不知道哪里出了问题 片段如下所示: @Configuration @EnableWebSecurity public class UserSecurityConfig extends WebSecurityConfigurerAdapter{ @Autowired CustomSuccessHandler customSucce
@Configuration
@EnableWebSecurity
public class UserSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
CustomSuccessHandler customSuccessHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
System.out.println("in configure");
http.csrf().disable()
.authorizeRequests()
.antMatchers("/", "/home", "/about").permitAll()
.antMatchers("/admin").hasAnyRole("ADMIN") // if changed to antMatchers("/admin").permitAll() then it works fine
.antMatchers("/user/**").hasAnyRole("USER")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.successHandler(customSuccessHandler)
.usernameParameter("username")
.passwordParameter("password")
.permitAll()
.and()
.logout()
.permitAll();
}
Java
}
每当我从login.jsp页面登录时,用户身份验证工作正常,在用户身份验证之后,页面应根据用户角色重定向到管理页面,其中重定向代码已写入CustomSuceeSandler中。
CustomSuccessHandler中的targetUrl也将url打印为/admin,但我在浏览器中收到禁止的403错误
如果我在UserSecurityConfig中将代码注释或修改为
.antMatchers/admin.permitAll
而不是
.antMatchers/admin.hasAnyRoleADMIN
然后它工作正常,并被重定向到管理页面
白标错误页
此应用程序没有/error的显式映射,因此您可以看到
这是一种退路。Sun Nov 25 23:58:01 IST 2018有一个
意外错误类型=禁止,状态=403。禁止的
您被禁止,因为hasAnyRoleADMIN将在给定字符串中添加角色前缀,因此将角色\u ADMIN与ADMIN进行检查失败。改为使用HasAuthorityAdmin或将权限重命名为ROLE_ADMIN以修复它
@Component
public class CustomSuccessHandler extends
SimpleUrlAuthenticationSuccessHandler {
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
@Override
protected void handle(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
throws IOException {
String targetUrl = determineTargetUrl(authentication);
if (response.isCommitted()) {
System.out.println("Can't redirect");
return;
}
System.out.println("Return URL : "+targetUrl);
redirectStrategy.sendRedirect(request, response, targetUrl);
}
/*
* This method extracts the roles of currently logged-in user and returns
* appropriate URL according to his/her role.
*/
protected String determineTargetUrl(Authentication authentication) {
String url = "";
Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
List<String> roles = new ArrayList<String>();
System.out.println("authoritirs "+authorities.size());
for (GrantedAuthority a : authorities) {
System.out.println(a.getAuthority());
roles.add(a.getAuthority());
}
if (isDba(roles)) {
url = "/db";
} else if (isAdmin(roles)) {
url = "/admin";
} else if (isUser(roles)) {
url = "/home";
} else {
url = "/accessDenied";
}
return url;
}
private boolean isUser(List<String> roles) {
if (roles.contains("USER")) {
return true;
}
return false;
}
private boolean isAdmin(List<String> roles) {
if (roles.contains("ADMIN")) {
return true;
}
return false;
}
private boolean isDba(List<String> roles) {
if (roles.contains("DBA")) {
return true;
}
return false;
}
public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
this.redirectStrategy = redirectStrategy;
}
protected RedirectStrategy getRedirectStrategy() {
return redirectStrategy;
}