Spring Security 不适用于“hasRole('ROLE_ADMIN')";或 ROLE_ADMIN [英] Spring Security does not work with "hasRole('ROLE_ADMIN')" or ROLE_ADMIN
问题描述
我使用的是 Spring Security 4.1 版.如果我在安全配置中指定 access="hasRole('ROLE_ADMIN')"
或 access="ROLE_ADMIN"
,我可以登录,但我无法访问我的管理页面.
I am using Spring Security version 4.1. If I specify access="hasRole('ROLE_ADMIN')"
or access="ROLE_ADMIN"
in the security configuration, I am able to login, but I am unable to access my admin page.
<security:http use-expressions="true">
<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<!-- security:intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" / -->
<security:intercept-url pattern="/createmanufsensors" access="isAuthenticated()" />
</security:http>
<security:global-method-security secured-annotations="enabled"></security:global-method-security>
下面是调试错误:
DEBUG [http-bio-8080-exec-10] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Secure object: FilterInvocation: URL: /admin; Attributes: [hasRole('ROLE_ADMIN')]
2016-06-25 10:07:53,667 [] DEBUG [http-bio-8080-exec-10] [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@cc305a73: Principal: org.springframework.security.core.userdetails.User@74b46745: Username: francatore ; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 7F702A6911A71EA5556C750B6D424FF5; Granted Authorities: ROLE_ADMIN
2016-06-25 10:07:53,667 [] DEBUG [http-bio-8080-exec-10] [org.springframework.security.access.vote.AffirmativeBased] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@170ea084, returned: -1
2016-06-25 10:07:53,668 [] DEBUG [http-bio-8080-exec-10] [org.springframework.security.web.access.ExceptionTranslationFilter] Access is denied (user is not anonymous); delegating to AccessDeniedHandler
我可能遗漏了什么?
推荐答案
对此我有一个小小的解释.在这里,您被认证为普通用户,但无权查看管理页面.
I have a small explanation for this. Here you are authenticated as a normal user but not authorized to view the admin page.
如果您使用的是access="hasRole('ROLE_ADMIN')"
表达式,那么Spring EL 类(即SecurityExpressionRoot
)将添加前缀ROLE_
到每个角色我们在 hasRole()
表达式中提供的.因此,在您的情况下,您在 hasRole('ROLE_ADMIN')
中提供的角色解析为 ROLE_ROLE_ADMIN
.
If you are using access="hasRole('ROLE_ADMIN')"
expression, then the Spring EL class (i.e SecurityExpressionRoot
) will add the prefix ROLE_
to every role
that we have provide in hasRole()
expression. So in your case the role you have provided in hasRole('ROLE_ADMIN')
resolves to ROLE_ROLE_ADMIN
.
这就是为什么您被认证为具有 ROLE_ADMIN
的用户.但是到Spring Security框架查看admin页面的用户必须有角色ROLE_ROLE_ADMIN
(因为SecurityExpressionRoot
类添加了ROLE_
前缀).
Thats why you are authenticated as a user who has ROLE_ADMIN
. But to the Spring Security framework to view the admin page the user must have the role of
ROLE_ROLE_ADMIN
(because the SecurityExpressionRoot
class added ROLE_
prefix).
因此,为此删除代码中的 ROLE_
前缀,即这里 access="hasRole('ADMIN')"
因此,Spring Security 将自动添加该 ROLE_
前缀.并确保您已将数据库中的管理员角色指定为 ROLE_ADMIN
.
So for this remove that ROLE_
prefix in your code, i.e here access="hasRole('ADMIN')"
So, Spring Security will add that ROLE_
prefix automatically.
And make sure that you have specified your admin role in database as ROLE_ADMIN
.
这篇关于Spring Security 不适用于“hasRole('ROLE_ADMIN')";或 ROLE_ADMIN的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!