问题：Spring自定义登录返回403访问被拒绝页面

Question

输入正确的凭证后，我得到403访问被拒绝页面。这里有一些重要的文件。

弹簧security.xml文件

<security:http auto-config="true" use-expressions="true"> 

<security:intercept-url pattern="/manageIndustry/viewAddIndustryForm" 
    access="hasRole('Recruiter')" /> 


<security:form-login login-page="/login/" 
    default-target-url="/userpage/" 
    authentication-failure-url="/accessdenied" 
    username-parameter="emailId" 
    password-parameter="userPassword" 
    login-processing-url="/j_spring_security_check" 
    always-use-default-target="false" /> 

<security:logout invalidate-session="true" /> 
<security:csrf /> 
</security:http> 

<security:authentication-manager> 
    <security:authentication-provider 
     user-service-ref="LoginService"> 
</security:authentication-provider> 

LoginService.java

@Override 
public UserDetails loadUserByUsername(String emailID) 
     throws UsernameNotFoundException { 
    UserVO userVO=userDAO.getSingleUserByEmailId(emailID); 
    if(userVO==null){ 
     return null; 
    } 
    List<SimpleGrantedAuthority> grantedAuthority=buildSimpleGrantedAuthority(userVO); 
    UserDetails userDetails=new User(userVO.getEmailId(),userVO.getUserPassword(),userVO.getIsActive()== 1 ? true : false,true,true,true,grantedAuthority); 
    return userDetails; 
} 

private List<SimpleGrantedAuthority> buildSimpleGrantedAuthority(
     final UserVO userVO) { 
    List<SimpleGrantedAuthority> grantedAuthorities = new ArrayList<>(); 
    if (userVO.getRoleVO() != null) { 
     grantedAuthorities.add(new SimpleGrantedAuthority(userVO 
       .getRoleVO().getRoleName())); 
    } 
return grantedAuthorities; 
} 

登录Controller.java

@RequestMapping("/userpage") 
public ModelAndView userpage() { 
    ModelAndView modelAndView = new ModelAndView(); 
    Object principal = SecurityContextHolder.getContext() 
      .getAuthentication().getPrincipal(); 
    log.info(principal); 
    if (principal instanceof UserDetails) { 
     Collection<? extends GrantedAuthority> authorities = ((UserDetails) principal) 
       .getAuthorities(); 
     if (authorities.size() == 1) { 
      final Iterator<? extends GrantedAuthority> iterator = authorities 
        .iterator(); 
      GrantedAuthority grantedAuthority = iterator.next(); 
      if (grantedAuthority.getAuthority().equals("Recruiter")) { 
       IndustryVO industryVO = new IndustryVO(); 
       modelAndView.addObject("industryVO", industryVO); 
       modelAndView.setViewName("addIndustry"); 
       return modelAndView; 
      } 
     } 
    } 
    modelAndView.setViewName("viewIndustry"); 
    return modelAndView; 
} 

IndustryController.java

@RequestMapping("/manageIndustry") 
public class IndustryController { 
@Autowired 
IndustryDAO industryDAO; 

@RequestMapping("/viewAddIndustryForm") 
public ModelAndView viewAddIndustryForm() { 
    Object principal=SecurityContextHolder.getContext().getAuthentication().getPrincipal(); 
    log.info("this is called"); 

    ModelAndView modelAndView = new ModelAndView(); 
    IndustryVO industryVO = new IndustryVO(); 
    modelAndView.addObject("industryVO", industryVO); 
    modelAndView.setViewName("addIndustry"); 
    return modelAndView; 
} 

打开http://localhost:8080/JobPortal/login并输入正确的凭证后，它将我重定向到addIndustry页面，考虑default-target-url="/userpage/"和登录控制器中的代码。

但是当我尝试的情况下直接访问登陆页面addIndustry即http://localhost:8080/JobPortal/manageIndustry/viewAddIndustryForm它打开登录页面，按CONFIGRATION在Spring-Security.xml但即使提供正确的凭据后，我得到HTTP Status 403 - Access is denied

任何帮助将不胜感激。

谢谢。

Answer 1

您使用的是哪种版本的弹簧安全？据我记得在旧版本中，你必须添加前缀“ROLE_”给用户角色，所以在你的buildSimpleGrantedAuthority你应该这样做：

private List<SimpleGrantedAuthority> buildSimpleGrantedAuthority(
     final UserVO userVO) { 
    List<SimpleGrantedAuthority> grantedAuthorities = new ArrayList<>(); 
    if (userVO.getRoleVO() != null) { 
     grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_"+userVO 
       .getRoleVO().getRoleName())); 
    } 
return grantedAuthorities; 
}