0
我已经声明实现WebSecurityConfigurerAdapter的类。成功登录后,我将用户重定向到我在authorizeRequests中声明的page/main/list,并将“v_main”角色绑定到此请求url。但我声明如下配置返回我ACCESS_DENIED我已经声明页面accessDeniedPageWebSecurityConfigurerAdapter cofiguration不能正确处理请求
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class AppSecurityConfig extends WebSecurityConfigurerAdapter {
protected static Logger log = Logger.getLogger(AppSecurityConfig.class);
@Autowired
private CustomAuthenticationProvider authProvider;
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
log.info("configAuthentication");
auth.authenticationProvider(authProvider);
}
@Override
public void configure(WebSecurity web) throws Exception {
log.info("configure WebSecurity");
web.ignoring()
.antMatchers("/assets/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
log.info("configure HttpSecurity");
http
.formLogin()
.loginPage("/login")
.permitAll()
.loginProcessingUrl("/login")
.usernameParameter("username").passwordParameter("password")
.defaultSuccessUrl("/main/list")
.failureUrl("/login?fail=1")
.and()
.authorizeRequests()
.antMatchers("/main/**").hasRole("v_role")
.anyRequest().authenticated()
.and()
.logout()
//.logoutUrl("/logout")
.logoutSuccessUrl("/login?logout")
.invalidateHttpSession(true)
.and()
.exceptionHandling()
.accessDeniedPage("/access_denied")
.and()
.csrf();
}
我的回答
我需要的是改变hasRole到hasAuthority什么。
.antMatchers("/main/**").hasAuthority("v_main")
因为我设置与SimpleGrantedAuthority
谢谢回复。我在实现AuthenticationProvider的CustomAuthenticationProvider中设置角色,并在其身份验证方法中为用户设置角色。顺便说一句我测试了你的代码,并且它返回了我正确的角色 – AEMLoviji
does request.isUserInRole(ga.getAuthority()))对于你正在检查的角色为true – Mudassar
对不起。我只是测试它返回的是什么。它返回我设置给用户的角色。但正如你所说的,UserInRole不会返回true。什么是问题? – AEMLoviji