Spring Security:获得单次授权后发出403

问题描述 投票:0回答:2

使用过的Spring Boot 2 + Spring Security Starter。

授权用户,但由于某些原因导致错误403。

我试图以不同的方式进行配置,但是它不起作用。

授权成功后(loadUserByUsername方法正常工作,它在所有带有/ admin前缀的页面上显示403,并且在授权之前,切换到具有此前缀的任何页面都会导致重定向到/登录)>

@Controller
public class AdminController {
    @RequestMapping(value = "/admin", method = {GET, POST})
    public String adminMainPage() {
        return "redirect:/admin/article";
    }
}

@Controller
@RequestMapping("/admin/article")
public class ArticleController {
  @RequestMapping(value = "", method = {GET, POST})
  public ModelAndView indexAdminPage(...){
  ...
  }
}

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements UserDetailsService {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .userDetailsService(this)
                .authorizeRequests()
                .antMatchers("/", "/login",
                        "/login*", "/assets/**", "/lib/**", "/page.scripts/*").permitAll()
                .antMatchers("/admin/**").hasAnyRole("ADMIN")
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                .loginPage("/login")
                .usernameParameter("login")
                .passwordParameter("password")
                .successForwardUrl("/admin")
                .permitAll()
                .and()
                .logout()
                .deleteCookies("JSESSIONID")
                .permitAll();
    }

    private Collection<? extends GrantedAuthority> adminGrantedAuthoritySet = new HashSet<>() {{
        add(new SimpleGrantedAuthority("ADMIN"));
    }};

    private final UserRepository userRepository;

    public WebSecurityConfig(UserRepository userRepository ) {
        this.userRepository = userRepository;
    }

    @Override
    public UserDetails loadUserByUsername(String login) throws UsernameNotFoundException {
        Optional<UserEntity> optionalUser = userRepository.findByLogin(login);
        if (optionalUser.isEmpty()) {
            throw new UsernameNotFoundException("User by login '" + login + "' not found");
        } else {
            UserEntity userEntity = optionalUser.get();
            return new User(login, userEntity.getPassword(), adminGrantedAuthoritySet);
        }
    }
}

使用过的Spring Boot 2 + Spring Security Starter。授权用户,但由于某种原因给出错误403。我尝试以其他方式进行配置,但是它不起作用。授权成功后...

java spring spring-boot spring-mvc spring-security
2个回答
0
投票

在Spring Security中,roleauthority之间有区别。role是以authority为前缀的"ROLE_"。在此示例中,权限"ROLE_ADMIN"与角色"ADMIN"相同。

0
投票

首先,我建议您将UserDetailsS​​ervice与WebSecurityConfig分开。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.