1. 首頁
  2. 問答
  3. Spring安全性爲所有角色名稱添加前綴「ROLE_」?

Spring安全性爲所有角色名稱添加前綴「ROLE_」?

2015-10-19 100 views
14

我有這樣的代碼在我的Web安全配置:Spring安全性爲所有角色名稱添加前綴「ROLE_」?

@Override 
protected void configure(HttpSecurity http) throws Exception { 
    http 
      .authorizeRequests() 
      .antMatchers("/api/**") 
      .hasRole("ADMIN") 
      .and() 
      .httpBasic().and().csrf().disable(); 

}

所以我增加了一個用戶在我的數據庫「ADMIN」的角色,我總是得到403錯誤,當我tryed洛這個用戶,然後我啓用日誌春天,我發現這條線:

2015-10-18 23:13:24.112 DEBUG 4899 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/user/login; Attributes: [hasRole('ROLE_ADMIN')]

爲什麼春季安全正在尋找「ROLE_ADMIN」,而不是「管理」?

來源

2015-10-19 Gustavo Rozolin

+0

[春季安全角色前綴和自定義用戶信息服務(可能的重複http://stackoverflow.com/questions/4951832/spring-security-role-prefix-and-custom -user-details-service) – Bruno

回答

8

默認情況下,Spring安全性添加前綴「ROLE_」。

如果你想要這個刪除或更改,看看

http://forum.spring.io/forum/spring-projects/security/51066-how-to-change-role-from-interceptor-url

編輯:發現這個問題,以及: Spring Security remove RoleVoter prefix

來源

2015-10-19 03:20:22 jmcg

+0

只是一個問題,如果我在@Secured註解中添加一個角色,Spring是否默認添加ROLE_?如果我添加@Secured(「abc」),Spring會檢查ROLE_abc還是abc? –

+0

@SajibAcharya你可以改變默認的'ROLE_'。請參閱http://stackoverflow.com/questions/38134121/how-do-i-remove-the-role-prefix-from-spring-security-with-javaconfig/38970309#38970309 – walsh

9

在Spring 4,有兩種方法hasAuthority()hasAnyAuthority()定義在org.springframework.security.access.expression.SecurityExpressionRoot類。這兩種方法只檢查您的自定義角色名稱而不加前綴添加ROLE_。定義如下:

public final boolean hasAuthority(String authority) { 
    return hasAnyAuthority(authority); 
} 
public final boolean hasAnyAuthority(String... authorities) { 
    return hasAnyAuthorityName(null, authorities); 
} 
private boolean hasAnyAuthorityName(String prefix, String... roles) { 
    Set<String> roleSet = getAuthoritySet(); 

    for (String role : roles) { 
     String defaultedRole = getRoleWithDefaultPrefix(prefix, role); 
     if (roleSet.contains(defaultedRole)) { 
      return true; 
     } 
    } 

    return false; 
} 
private static String getRoleWithDefaultPrefix(String defaultRolePrefix, String role) { 
    if (role == null) { 
     return role; 
    } 
    if (defaultRolePrefix == null || defaultRolePrefix.length() == 0) { 
     return role; 
    } 
    if (role.startsWith(defaultRolePrefix)) { 
     return role; 
    } 
    return defaultRolePrefix + role; 
}

實例:

<http auto-config="false" use-expressions="true" pattern="/user/**" 
     entry-point-ref="loginUrlAuthenticationEntryPoint"> 
    <!--If we use hasAnyAuthority, we can remove ROLE_ prefix--> 
    <intercept-url pattern="/user/home/yoneticiler" access="hasAnyAuthority('FULL_ADMIN','ADMIN')"/> 
    <intercept-url pattern="/user/home/addUser" access="hasAnyAuthority('FULL_ADMIN','ADMIN')"/> 
    <intercept-url pattern="/user/home/addUserGroup" access="hasAuthority('FULL_ADMIN')"/> 
    <intercept-url pattern="/user/home/deleteUserGroup" access="hasAuthority('FULL_ADMIN')"/> 
    <intercept-url pattern="/user/home/**" access="hasAnyAuthority('FULL_ADMIN','ADMIN','EDITOR','NORMAL')"/> 
    <access-denied-handler error-page="/403"/> 
    <custom-filter position="FORM_LOGIN_FILTER" ref="customUsernamePasswordAuthenticationFilter"/> 
    <logout logout-url="/user/logout" 
      invalidate-session="true" 
      logout-success-url="/user/index?logout"/> 
    <!-- enable csrf protection --> 
    <csrf/> 
</http> <beans:bean id="loginUrlAuthenticationEntryPoint" 
      class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> 
    <beans:constructor-arg value="/user"/> 
</beans:bean>

來源

2016-08-30 18:27:02 olyanren

1

作爲@olyanren悲傷,可以使用hasAuthority()方法在彈簧4而不是hasRole()。我加入JavaConfig例如:

@Override 
protected void configure(HttpSecurity http) throws Exception { 
    .authorizeRequests() 
    .antMatchers("/api/**") 
    .access("hasAuthority('ADMIN')") 
    .and() 
    .httpBasic().and().csrf().disable(); 
}

來源

2017-06-16 11:59:52

相關問題

 相關問題