2016-07-22 95 views
0

我有security-context.xml春securiyy:訪問被拒絕

<security:http auto-config="true" > 
     <security:intercept-url pattern="/user*" access="hasRole('REGISTERED_USER')"/> 
    </security:http> 

    <security:authentication-manager> 
     <security:authentication-provider> 
      <security:user-service id="userDetailsService"> 
       <security:user password="password" name="user" authorities="REGISTERED_USER" /> 
       <security:user password="password" name="manager" authorities="BOOKING_MANAGER" /> 

      </security:user-service> 

     </security:authentication-provider> 

    </security:authentication-manager> 

正如預期的那樣,當我試圖訪問/user我被重定向到login。 但我希望在我登錄後授予訪問權限爲user/password。它不會發生,我得到:

HTTP Status 403 - Access is denied. 

什麼我理解錯了?

回答

0

第一種選擇:您必須添加前綴ROLE_

<security:user password="password" name="user" authorities="ROLE_REGISTERED_USER" /> 

http://websystique.com/spring-security/spring-security-4-secure-view-layer-using-taglibs/

第二個選項:你可以重新定義RoleVoiter豆,使其工作W/O前綴:

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"> 
     <constructor-arg name="decisionVoters"> 
      <list> 
       <bean class="org.springframework.security.access.vote.RoleVoter"> 
        <property name="rolePrefix" value=""/> 
       </bean> 
      </list> 
     </constructor-arg> 
    </bean>