具有多个角色的Spring安全性访问 [英] Spring security access with multiple roles

问题描述

我想为具有以下角色之一(ROLE1或ROLE2)的用户定义某些页面的访问权限

I want to define access for some pages for user who has one of following roles (ROLE1 or ROLE2)

我正在尝试在我的spring security xml文件中进行如下配置:

I'm trying to configure this in my spring security xml file as following:

<security:http entry-point-ref="restAuthenticationEntryPoint" access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security" use-expressions="true">
        <!-- skipped configuration -->
        <security:intercept-url pattern="/rest/api/myUrl*" access="hasRole('ROLE1') or hasRole('ROLE2')" />

        <!-- skipped configuration -->
    </security:http>

我尝试了多种方式，例如:

I've tried various ways like:

access="hasRole('ROLE1, ROLE2')"
access="hasRole('ROLE1', 'ROLE2')"
access="hasAnyRole('[ROLE1', 'ROLE2]')"

等

但似乎没有任何作用.

我一直都在例外

java.lang.IllegalArgumentException: Unsupported configuration attributes:

或

java.lang.IllegalArgumentException: Failed to parse expression 'hasAnyRole(['ROLE1', 'ROLE2'])'

应如何配置?

谢谢

推荐答案

问题是我配置了自定义access-decision-manager-ref="accessDecisionManager" 并没有通过其中一位选民.

The problem was that I configured custom access-decision-manager-ref="accessDecisionManager" and didn't pass one of the voters.

通过在accessDecisionManager bean中添加org.springframework.security.web.access.expression.WebExpressionVoter来解决.

Solved by adding org.springframework.security.web.access.expression.WebExpressionVoter to accessDecisionManager bean.

这篇关于具有多个角色的Spring安全性访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！