使用过的Spring Boot 2 + Spring Security Starter。
授权用户,但由于某些原因导致错误403。
我试图以不同的方式进行配置,但是它不起作用。
授权成功后(loadUserByUsername
方法正常工作,它在所有带有/ admin前缀的页面上显示403,并且在授权之前,切换到具有此前缀的任何页面都会导致重定向到/登录)>
@Controller
public class AdminController {
@RequestMapping(value = "/admin", method = {GET, POST})
public String adminMainPage() {
return "redirect:/admin/article";
}
}
@Controller
@RequestMapping("/admin/article")
public class ArticleController {
@RequestMapping(value = "", method = {GET, POST})
public ModelAndView indexAdminPage(...){
...
}
}
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements UserDetailsService {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.userDetailsService(this)
.authorizeRequests()
.antMatchers("/", "/login",
"/login*", "/assets/**", "/lib/**", "/page.scripts/*").permitAll()
.antMatchers("/admin/**").hasAnyRole("ADMIN")
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/login")
.usernameParameter("login")
.passwordParameter("password")
.successForwardUrl("/admin")
.permitAll()
.and()
.logout()
.deleteCookies("JSESSIONID")
.permitAll();
}
private Collection<? extends GrantedAuthority> adminGrantedAuthoritySet = new HashSet<>() {{
add(new SimpleGrantedAuthority("ADMIN"));
}};
private final UserRepository userRepository;
public WebSecurityConfig(UserRepository userRepository ) {
this.userRepository = userRepository;
}
@Override
public UserDetails loadUserByUsername(String login) throws UsernameNotFoundException {
Optional<UserEntity> optionalUser = userRepository.findByLogin(login);
if (optionalUser.isEmpty()) {
throw new UsernameNotFoundException("User by login '" + login + "' not found");
} else {
UserEntity userEntity = optionalUser.get();
return new User(login, userEntity.getPassword(), adminGrantedAuthoritySet);
}
}
}
使用过的Spring Boot 2 + Spring Security Starter。授权用户,但由于某种原因给出错误403。我尝试以其他方式进行配置,但是它不起作用。授权成功后...
在Spring Security中,role
和authority
之间有区别。role
是以authority
为前缀的"ROLE_"
。在此示例中,权限"ROLE_ADMIN"
与角色"ADMIN"
相同。
首先,我建议您将UserDetailsService与WebSecurityConfig分开。