在WebSecurityConfigureAdapter的配置方法中重定向时禁止Spring security获取异常

我正在使用基于角色的登录进行Spring安全性工作。虽然我一切都很好，但问题来了，如果成功登录后，我想重定向到管理页面，它给我禁止的错误。还是不知道哪里出了问题

片段如下所示：

 @Configuration 
 @EnableWebSecurity 
 public class UserSecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    CustomSuccessHandler customSuccessHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

     System.out.println("in configure");
     http.csrf().disable()
     .authorizeRequests()
            .antMatchers("/", "/home", "/about").permitAll()
            .antMatchers("/admin").hasAnyRole("ADMIN") // if changed to antMatchers("/admin").permitAll() then it works fine 
            .antMatchers("/user/**").hasAnyRole("USER")
            .anyRequest().authenticated()
     .and()
     .formLogin()
            .loginPage("/login")
            .successHandler(customSuccessHandler)
            .usernameParameter("username")
            .passwordParameter("password")  
            .permitAll()
            .and()
     .logout()
            .permitAll();
    }

Java

}

每当我从login.jsp页面登录时，用户身份验证工作正常，在用户身份验证之后，页面应根据用户角色重定向到管理页面，其中重定向代码已写入CustomSuceeSandler中。 CustomSuccessHandler中的targetUrl也将url打印为/admin，但我在浏览器中收到禁止的403错误

如果我在UserSecurityConfig中将代码注释或修改为 .antMatchers/admin.permitAll 而不是 .antMatchers/admin.hasAnyRoleADMIN

然后它工作正常，并被重定向到管理页面

白标错误页

此应用程序没有/error的显式映射，因此您可以看到 这是一种退路。Sun Nov 25 23:58:01 IST 2018有一个 意外错误类型=禁止，状态=403。禁止的

您被禁止，因为hasAnyRoleADMIN将在给定字符串中添加角色前缀，因此将角色\u ADMIN与ADMIN进行检查失败。改为使用HasAuthorityAdmin或将权限重命名为ROLE_ADMIN以修复它

@Component
public class CustomSuccessHandler extends 
 SimpleUrlAuthenticationSuccessHandler {

private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();

@Override
protected void handle(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
        throws IOException {
    String targetUrl = determineTargetUrl(authentication);

    if (response.isCommitted()) {
        System.out.println("Can't redirect");
        return;
    }
    System.out.println("Return URL : "+targetUrl);
    redirectStrategy.sendRedirect(request, response, targetUrl);
}

/*
 * This method extracts the roles of currently logged-in user and returns
 * appropriate URL according to his/her role.
 */
protected String determineTargetUrl(Authentication authentication) {
    String url = "";

    Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();

    List<String> roles = new ArrayList<String>();

    System.out.println("authoritirs  "+authorities.size());

    for (GrantedAuthority a : authorities) {
        System.out.println(a.getAuthority());
        roles.add(a.getAuthority());
    }

    if (isDba(roles)) {
        url = "/db";
    } else if (isAdmin(roles)) {
        url = "/admin";
    } else if (isUser(roles)) {
        url = "/home";
    } else {
        url = "/accessDenied";
    }

    return url;
}

private boolean isUser(List<String> roles) {
    if (roles.contains("USER")) {
        return true;
    }
    return false;
}

private boolean isAdmin(List<String> roles) {
    if (roles.contains("ADMIN")) {
        return true;
    }
    return false;
}

private boolean isDba(List<String> roles) {
    if (roles.contains("DBA")) {
        return true;
    }
    return false;
}

public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
    this.redirectStrategy = redirectStrategy;
}

protected RedirectStrategy getRedirectStrategy() {
    return redirectStrategy;
}