1
我希望用户能够根据他们的角色访问html页面。例如,只有具有HR角色的人才能够查看settings.html页面,只有那些经理才能看到pendingrequest.html。如何根据弹簧安全角色限制对html页面的访问?
这是我的安全配置:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private DatabaseAuthenticationProvider authenticationProvider;
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/js/**", "/css/**", "/img/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin().loginPage("/login").failureUrl("/login").defaultSuccessUrl("/")
.and().logout().logoutSuccessUrl("/login")
.and().authorizeRequests().antMatchers("/login").permitAll()
.antMatchers("/settings.html").hasRole("HR")
.antMatchers("/pendingRequests.html").hasRole("MANAGER")
.antMatchers("/settings.html","/pendingRequests.html").hasRole("ADMIN")
.anyRequest().authenticated().and().csrf().disable();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider).eraseCredentials(false);
}
}
出于某种原因,我已经试过有不工作,不管我有什么作用,我不能看到这些网页。