1
在我的應用程序中,我試圖給予用戶「/ user/**」權限和「/ admin/**」權限,但是我得到了403錯誤。春季安全獲取403錯誤
我使用彈簧啓動1.5.3
安全配置類:
package com.alokpanda.security.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@Order(1)
public class WebSecurityConfigure extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationProvider authenticationProvider;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.authenticationProvider(authenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/", "/login", "/logout").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/user/**").hasRole("USER")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.usernameParameter("username")
.passwordParameter("password")
.loginProcessingUrl("/login")
.failureUrl("/")
.and()
.logout()
//.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.and()
.csrf()
.disable();
}
}
Authencation提供商類:
package com.alokpanda.security.impl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Service;
import com.alokpanda.security.service.CustomUserDetailsService;
@Service
public class AuthenticationProviderImpl extends AbstractUserDetailsAuthenticationProvider {
@Autowired
private CustomUserDetailsService customUserDetailsService;
@Override
protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken token)
throws AuthenticationException {
System.out.println(userDetails.getUsername());
System.out.println(userDetails.getPassword());
System.out.println(token.getCredentials());
System.out.println(token.getCredentials().equals(userDetails.getPassword()));
System.out.println(userDetails.getAuthorities());
if(userDetails.getUsername() == null || token.getCredentials() == null) {
throw new BadCredentialsException("Credential may not be null.");
}
if(!token.getCredentials().equals(userDetails.getPassword())) {
System.out.println("Err");
throw new BadCredentialsException("Invalid Credentials.");
}
}
@Override
protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken token)
throws AuthenticationException {
UserDetails userDetails = customUserDetailsService.loadUserByUsername(username);
return userDetails;
}
}
的UserDetailsService類:
package com.alokpanda.security.service;
import java.util.ArrayList;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import com.alokpanda.model.User;
import com.alokpanda.model.UserRole;
import com.alokpanda.repository.UserRepository;
@Service
public class CustomUserDetailsService implements UserDetailsService {
@Autowired
private UserRepository userRepository;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepository.findByUsername(username);
List<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
for(UserRole userRole : user.getUserRole()) {
grantedAuthorities.add(new SimpleGrantedAuthority(userRole.getRole()));
}
UserDetails userDetails = (UserDetails) new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), grantedAuthorities);
return userDetails;
}
}
在彈簧啓動過程中出現錯誤「角色不應該以'ROLE_'開頭,因爲它會自動插入。'ROLE_ADMIN'」 –
然後在數據庫中,嘗試將角色保存爲ROLE_USER和ROLE_ADMIN – Tom