0
我已經設置了我的spring安全性,但是,無論如何,我的HttpServletRequest並不是SecurityContextHolderAwareRequestWrapper的一個實例。我的Spring Security安裝有什麼問題?
有趣的是,如果我直接使用SecurityContextHolder.getContext()。getAuthentication(),我可以獲得所需的所有信息。
這裏是我的調試代碼
logger.debug("Test Permission using AwareRequestWrapper object");
if (request instanceof SecurityContextHolderAwareRequestWrapper) {
logger.debug("The request is an instance of SpringSecurityAwareRequestWrapper");
SecurityContextHolderAwareRequestWrapper requestWrapper =
(SecurityContextHolderAwareRequestWrapper) request;
if(requestWrapper.isUserInRole("administrator"))
{
logger.debug("user is an admin");
}
else{
logger.debug("user is a user");
}
}
else{
logger.debug("The request is NOT an instance of SpringSecurityAwareRequestWrapper");
}
logger.debug("Test using directi SecurityContextHolder");
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if(auth!=null)
{
logger.debug("Authenticaiton object is not null");
baseResult = (LoginResult)auth.getPrincipal();
if(baseResult.isAdmin())
{
logger.debug("user is an admin");
}
else{
logger.debug("user is an user");
}
}
else{
logger.debug("Authentication object is null");
}
下面是結果日誌
2015-09-08 11:02:56,668 DEBUG [debugLogger] - Test Permission using AwareRequestWrapper object
2015-09-08 11:02:56,668 DEBUG [debugLogger] - The request is NOT an instance of SpringSecurityAwareRequestWrapper
2015-09-08 11:02:56,668 DEBUG [debugLogger] - Test using directi SecurityContextHolder
2015-09-08 11:02:56,668 DEBUG [debugLogger] - Authenticaiton object is not null
2015-09-08 11:02:56,668 DEBUG [debugLogger] - user is an admin
這裏是我的security.xml
<http auto-config="true" servlet-api-provision="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll"/>
<intercept-url pattern="/css/*" access="permitAll"/>
<intercept-url pattern="/images/*" access="permitAll"/>
<intercept-url pattern="/js/*" access="permitAll"/>
<intercept-url pattern="/resources/*.ttf" access="permitAll"/>
<intercept-url pattern="/fonts/*" access="permitAll"/>
<intercept-url pattern="/Logout.jsp" access="permitALL" />
<intercept-url pattern="/index" access="permitAll"/>
<intercept-url pattern="/**/*" access="isAuthenticated()"/>
<form-login
login-page="/"
default-target-url="/home"
authentication-failure-url="/logout"
login-processing-url="/register"/>
<csrf disabled="true"/>
</http>
<beans:bean id="customAuthenticationProvider"
class="mynamespace.CustomAuthenticationProvider" />
<authentication-manager>
<authentication-provider ref="customAuthenticationProvider"/>
</authentication-manager>
[編輯]:
僅供參考。我在日誌中打開的Spring Security之後,我做了這個
2015-09-08 12:22:19,634 DEBUG [org.springframework.security.web.FilterChainProxy] - /home at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
因此,過濾器被觸發,那麼,爲什麼不能我的控制器得到阿霍德的SecurityContextHolderAwareRequestWrapper的?
感謝
您可能想要檢查並確認它實際上是_is_。有可能它的'SecurityContextHolderAwareRequestWrapper'的子類,在這種情況下你的測試應該是'SecurityContextHolderAwareRequestWrapper.class.isAssignableFrom()' –