用户授予的权限始终是:ROLE_ANONYMOUS? [英] User Granted Authorities are always : ROLE_ANONYMOUS?

问题描述

我正在使用以下方法在注册后进行程序化登录

I am using the following method to make a programmatic login after registration

private void autoLogin(User user,
            HttpServletRequest request)
    {

GrantedAuthority[] grantedAuthorities = new GrantedAuthority[] { new GrantedAuthorityImpl(
                "ROLE_ADMIN") };

        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
                user.getUsername(), user.getPassword(),grantedAuthorities);

        // generate session if one doesn't exist
        request.getSession();

        token.setDetails(new WebAuthenticationDetails(request));
        Authentication authenticatedUser = authenticationManager.authenticate(token);

        SecurityContextHolder.getContext().setAuthentication(authenticatedUser);
    }

用户已通过身份验证，但始终具有ROLE_ANONYMOUS，我不知道为什么? 有任何想法吗 ?

the user is authenticated but always has the ROLE_ANONYMOUS I don't know why ? any ideas ?

推荐答案

此行为看起来很奇怪. Javi建议手动将安全上下文持久化到会话中，但是应该由Spring Security的SecurityContextPersistenceFilter自动完成.

This behaviour looks very strange. Javi suggests to persist security context into session manually, but it should be done automatically by Spring Security's SecurityContextPersistenceFilter.

我能想到的一个可能原因是您的注册处理页面的<intercept-url>中的filters = "none".

One possible cause I can imagine is filters = "none" in <intercept-url> of your registration processing page.

filters = "none"禁用指定URL的所有安全筛选器.如您所见，它可能会干扰Spring Security的其他功能.因此，更好的方法是保持启用过滤器，但将其配置为允许所有用户访问.您有几种选择:

filters = "none" disables all security filters for the specified URL. As you can see, it may interfere with other features of Spring Security. So, the better approach is to keep filters enabled, but to configure them to allow access for all users. You have several options:

• 使用access属性的旧语法(即不使用<http use-expressions = "true" ...>):
  • access = "ROLE_ANONYMOUS"允许未经身份验证的用户访问，但拒绝经过身份验证的用户
  • 要允许所有用户访问，您可以编写access = "IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED"
  • With old syntax of access attribute (i.e. without <http use-expressions = "true" ...>):
    • access = "ROLE_ANONYMOUS" allows access for non-authenticated users, but denies for the authenticated ones
    • To allow access for all users you may write access = "IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED"

    这篇关于用户授予的权限始终是:ROLE_ANONYMOUS?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！