1. 首页
  2. 问答
  3. 春季安全角色

春季安全角色

2012-03-23 165 views
0

我在我的数据库,其中包含像“ROLE_ADMIN”和“ROLE_USER”,并在的applicationContext-security.xml文件角色用户角色表,我所定义的filterSecurityInterceptor为:春季安全角色

<s:filter-chain pattern="/rpc/adminService" 
    filters=" 
     authenticationProcessingFilter, 
     filterSecurityInterceptor"/> 

    <s:filter-chain pattern="/rpc/**" 
    filters=" 
     concurrentSessionFilter, 
     httpSessionContextIntegrationFilter, 
     authenticationProcessingFilter, 
     rememberMeProcessingFilter, 
     anonymousProcessingFilter, 
     exceptionTranslationFilter, 
     filterSecurityInterceptor" /> 

    <s:filter-chain pattern="/j_spring_security*" 
    filters=" 
     concurrentSessionFilter, 
     httpSessionContextIntegrationFilter, 
     logoutFilter, 
     authenticationProcessingFilter, 
     rememberMeProcessingFilter, 
     anonymousProcessingFilter" /> 

    <s:filter-chain pattern="/**" filters="none" /> 
</s:filter-chain-map> 


<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor"> 
    <property name="authenticationManager" ref="authenticationManager" /> 
    <property name="accessDecisionManager" ref="accessDecisionManager" /> 
    <property name="objectDefinitionSource"> 
     <s:filter-invocation-definition-source> 
     <s:intercept-url pattern="/rpc/userService" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
     <s:intercept-url pattern="/rpc/adminService**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> 
     <s:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
     </s:filter-invocation-definition-source> 
    </property> 
    </bean> 

    <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager"> 
    <property name="sessionController" ref="concurrentSessionController" /> 
    <property name="providers"> 
     <list> 
     <ref bean="rememberMeAuthenticationProvider" /> 
     <ref bean="daoAuthenticationProvider" /> 
     </list> 
    </property> 
    </bean> 

<bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider"> 
    <property name="userDetailsService" ref="accountRepository" /> 
    <property name="passwordEncoder" ref="passwordEncoder" /> 
    </bean>

然而,当我试图访问某些资源作为管理员用户,它得到了拒绝,抱怨是:

An Authentication object was not found in the SecurityContext

如何将数据库中定义的角色转换为securityContext可识别的角色?

来源

2012-03-23 user468587

+0

听起来好像你没有正确设置认证。请说明你如何配置过滤链。 – 2012-03-23 20:08:55

+0

@LukeTaylor:我已更新代码以包含过滤器链。 thx – user468587 2012-03-23 21:18:17

回答

0

你在配置中有这个权利吗?

<authentication-manager> 
    <authentication-provider user-service-ref="accountRepository"> 
     <password-encoder ref="passwordEncoder"/> 
    </authentication-provider> 
</authentication-manager>

你有没有研究过这: spring-security-3-database-authentication-with-hibernate

我使用这个简单的测试:

<authentication-manager alias="authenticationManager" > 
    <authentication-provider> 
      <jdbc-user-service data-source-ref="dataSource" 
       users-by-username-query = 
        "SELECT username, password, CASE Status WHEN 1 THEN 'true' ELSE 'false' END as enabled 
         FROM User 
         WHERE username = ?" 
       authorities-by-username-query= 
        "SELECT username, CASE role WHEN 1 THEN 'ROLE_USER' WHEN 2 THEN 'ROLE_ADMIN' ELSE 'ROLE_GUEST' END as authorities 
         FROM User 
         WHERE username = ?" />  
     </authentication-provider> 
</authentication-manager>

来源

2012-03-23 22:50:55

+0

我试过这个,但得到错误,因为“无法找到元素[jdbc-user-service]的BeanDefinitionDecorator”??? <豆ID = “DaoAuthenticationProvider还可以为” 类= “org.springframework.security.providers.dao.DaoAuthenticationProvider”> user468587 2012-03-23 23:20:43

1

您的过滤器链/rpc/adminService没有HttpSessionContextIntegrationFilter。当您看到问题时,您没有说出请求URL的内容,但是如果您访问该确切的URL,则不会为请求提供安全上下文。

Spring Security filter chains should always包含此过滤器。

我还要提防你

<s:filter-chain pattern="/**" filters="none" />

,因为任何不被先前的模式匹配不会有安全方面的。

来源

2012-03-24 13:56:35

相关问题

 相关问题