如何在 Spring Security 中使用自定义角色/权限? [英] How do I use custom roles/authorities in Spring Security?

问题描述

在将遗留应用程序迁移到 Spring Security 时，我遇到了以下异常:

While migrating a legacy application to spring security I got the following exception:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainProxy': Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainList': Cannot resolve reference to bean '_filterSecurityInterceptor' while setting bean property 'filters' with key [3]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterSecurityInterceptor': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [superadmin]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:480)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
at java.security.AccessController.doPrivileged(Native Method)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)

在旧应用程序中，有超级管理员"、编辑"、帮助台"等角色.但在所有 Spring Security 示例中，我只看到ROLE_"(ROLE_ADMIN"等)之类的角色.当我将superadmin"重命名为ROLE_ADMIN"并且只在配置中使用这个角色时，一切正常.

In the old application there are roles like "superadmin", "editor", "helpdesk" etc. But in all Spring Security examples I only see roles like "ROLE_" ("ROLE_ADMIN" etc). When I rename "superadmin" to "ROLE_ADMIN" and only use this role in the config, everything works.

不起作用:

 <http auto-config="true">                                      
    <intercept-url pattern="/restricted/**" access="superadmin"/>
    <form-login
        authentication-failure-url="/secure/loginAdmin.do?error=true"
        login-page="/secure/loginAdmin.do" />        
</http> 

作品:

<http auto-config="true">                                      
    <intercept-url pattern="/restricted/**" access="ROLE_ADMIN"/>
    <form-login
        authentication-failure-url="/secure/loginAdmin.do?error=true"
        login-page="/secure/loginAdmin.do" />        
</http> 

是否可以使用自定义角色名称?

Is possible to use custom role names?

推荐答案

您正在使用默认配置，该配置期望角色以 "ROLE_" 前缀开头.您必须添加自定义安全配置并将 rolePrefix 设置为 "";

You are using the default configuration which expects that roles starts with the "ROLE_" prefix. You will have to add a custom security configuration and set rolePrefix to "";

http://forum.springsource.org/archive/index.php/t-53485.html

这篇关于如何在 Spring Security 中使用自定义角色/权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！