2016-07-15 35 views
1

您好,我正在從春季訪問被拒絕。可有人請幫我這春季安全儘管憑藉正確的憑據給予403安全


我使用彈簧4.3

我控制器

@RestController 
@RequestMapping (value = "/api/secured/resource/school") 
@Secured ({ ApplicationConstants.Role.SYSTEM_ADMIN, ApplicationConstants.Role.SCHOOL_ADMIN }) 
public class SchoolController 
{ 

    @Autowired 
    private SchoolService schoolService; 

    @PostMapping (consumes = "application/json") 
    @Secured ({ ApplicationConstants.Role.SYSTEM_ADMIN }) 
    public @ResponseBody ResponsePayload createSchool (HttpServletRequest request, @RequestBody School school) 
      throws ServiceException 
{ 
} 

interface Role 
    { 

     String SYSTEM_ADMIN = "SYSTEM_ADMIN"; 

     String SCHOOL_ADMIN = "SCHOOL_ADMIN"; 
    } 

由於日誌下面你可以看到,用戶有兩個機構

SYSTEM_USER,SYSTEM_ADMIN仍然給我拒絕訪問

Sprin克配置

<http pattern="/static/**" security="none" /> 
    <http use-expressions="true"> 
     <intercept-url pattern="/app/**" access="isAuthenticated()" /> 
     <form-login login-page="/loginPage" 
      authentication-success-handler-ref="mySuccessHandler" 
      authentication-failure-handler-ref="myFailureHandler" /> 
     <logout logout-success-url="/loginPage" /> 
     <custom-filter ref="loginFilter" after="FIRST" /> 
     <csrf disabled="true" /> 
    </http> 

2016年7月15日16:03:12525 DEBUG MethodSecurityInterceptor:348 - 先前認證:org.springframew[email protected]7670236f:主要:SystemUser [用戶id = 1,姓名=管理員,[email protected],mobilePhone = 9999999999,status = ACTIVE];證書:[PROTECTED];已驗證:true;詳細信息:org.sprin[email protected]0:RemoteIpAddress:0:0:0:0:0:0:0:1; SessionId:1h5x6yxtd1m0y1ogs4h5vfo1yl; 授予的權限:SYSTEM_USER,SYSTEM_ADMIN 2016-07-15 16:03:12,525 DEBUG肯定性基礎:66 - 選民:[email protected],返回:0 2016-07-15 16 :03:12,527 DEBUG AffirmativeBased:66 - 選舉:[email protected]4efc,返回:0 2016-07-15 16:03:12,529 DEBUG ExceptionHandlerExceptionResolver:133 - 解決handler [public com.tepachi.web.response.ResponsePayload com.tepachi.web.controller.SchoolController.createSchool(javax.servlet.http.HttpServletRequest,com.tepachi.db.entities.user.School)throws com.tepachi.exception.ServiceException] :org.springframework.security.access.AccessDeniedException:訪問被拒絕

回答

0

問題出現在春季4之前,它將ROLE_預先授予授予的權限。

hasRole([作用]):如果當前主體具有指定的角色 返回true。默認情況下,如果提供的角色不以「ROLE_」開頭,它將被添加。這可以通過修改DefaultWebSecurityExpressionHandler上的defaultRolePrefix來定製。

更多信息可以在這裏找到Spring Doc