如何解决Spring Security中的角色? [英] How to fix role in Spring Security?
问题描述
我正在尝试在我的项目中使用Spring Security,这里是代码:
I'm trying to use Spring Security in my project, here is the code:
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// TODO Auto-generated method stub
//super.configure(auth);
//auth.inMemoryAuthentication().withUser("admin").password("1111").roles("USER");
auth
.jdbcAuthentication()
.dataSource(dataSource)
.usersByUsernameQuery("select username, password, 1 from users where username=?")
.authoritiesByUsernameQuery("select users_username, roles_id from roles_users where users_username=?")
.rolePrefix("ROLE_");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable();
http
.httpBasic();
http
.authorizeRequests()
.anyRequest().authenticated();
http
.authorizeRequests()
.antMatchers("/users/all").hasRole("admin")
.and()
.formLogin();
http
.exceptionHandling().accessDeniedPage("/403");
}
以下是问题所在:
想象一下,我们有两个用户(一个用用户
角色,另一个用 admin
角色)在我们的数据库中有一个管理员,第二个是用户,问题是当我以用户身份连接时(只有用户
角色),它可以访问管理资源(这是不是预期的行为。)
Imagine we have two users (one with the user
role and the other one with the admin
role) in our database one admin and the second is a user, the problem is when I connect as user (which has only user
role) it can access to admin resources (and this is not the expected behavior).
我认为这个问题存在问题:
I think the problem in this query:
"select username, password, 1 from users where username=?"
根据用户名
是主键吗?
如果有人知道如何解决这个问题?
If anyone has an idea how I can resolve this problem?
推荐答案
您的第一个匹配器 anyRequest()
始终应用,因为匹配器的顺序很重要,请参阅 HttpSecurity#authorizeRequests
:
Your first matcher anyRequest()
is always applied, because the order of matchers is important, see HttpSecurity#authorizeRequests
:
请注意,匹配器是按顺序考虑。因此,以下内容无效,因为第一个匹配器匹配每个请求,并且永远不会进入第二个映射:
Note that the matchers are considered in order. Therefore, the following is invalid because the first matcher matches every request and will never get to the second mapping:
http.authorizeRequests().antMatchers("/**").hasRole("USER").antMatchers("/admin/**")
.hasRole("ADMIN")
您的修改和简化配置:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/users/all").hasRole("admin")
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.exceptionHandling().accessDeniedPage("/403");
}
这篇关于如何解决Spring Security中的角色?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!