Spring 安全表达式 sec:authorize 不起作用

问题描述 投票:0回答:1

我想显示一个用于登录匿名用户的标签和一个用于注销经过身份验证的用户的标签,该用户具有 ROLE_USER IM 使用 sec:authorize 但它什么也不做,不要给我错误只是不起作用。

这是我的pom:

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>

    <dependency>
        <groupId>mysql</groupId>
        <artifactId>mysql-connector-java</artifactId>
        <version>8.0.32</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webflux</artifactId>
    </dependency>

    <dependency>
        <groupId>com.google.code.gson</groupId>
        <artifactId>gson</artifactId>
        <version>2.10.1</version>
    </dependency>
    <dependency>
        <groupId>io.projectreactor.netty</groupId>
        <artifactId>reactor-netty-http</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-tomcat</artifactId>
        <scope>provided</scope>
    </dependency>

    <dependency>
        <groupId>org.thymeleaf</groupId>
        <artifactId>thymeleaf-spring5</artifactId>
    </dependency>



    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>

    <dependency>
        <groupId>org.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-springsecurity5</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-taglibs</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.ldap</groupId>
        <artifactId>spring-ldap-core</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-ldap</artifactId>
    </dependency>

    <dependency>
        <groupId>com.unboundid</groupId>
        <artifactId>unboundid-ldapsdk</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-test</artifactId>
        <scope>test</scope>
    </dependency>

    <dependency>
        <groupId>org.hibernate.validator</groupId>
        <artifactId>hibernate-validator</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>
</dependencies>

<build>
    <plugins>
        <plugin>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
        </plugin>
    </plugins>
</build>

如果我打印校长我会得到这个:

AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]

对于经过身份验证的:

UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=Balza, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=A2C735A0D12E494E89DC72BB9BAD7119], Granted Authorities=[ROLE_USER]]

百里香叶页面有:

<html xmlns:th="http://www.thymeleaf.org"
  xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity5" lang="it">

秒:授权是:

<li sec:authorize="hasRole('ROLE_ANONYMOUS')"><a class="dropdown-item" href="login">Login</a></li>
<li sec:authorize="hasRole('ROLE_USER')"><a class="dropdown-item" href="perform_logout">Logout</a></li>

安全配置:

@Override
protected void configure (final HttpSecurity http) throws Exception{

    http
            .authorizeRequests()
            .antMatchers("/anonymus*").anonymous() //role anonymus
            .antMatchers("/login*").permitAll()
            .antMatchers("/static/**").permitAll() //resources
            .antMatchers("/addAuthors").hasRole("USER")
            .antMatchers("/*").permitAll()
            .anyRequest().authenticated()

            .and()
            .formLogin()
            .loginPage("/login")
            .loginProcessingUrl("/perform_login")
            .failureUrl("/login?error=true")
            .permitAll()
            .defaultSuccessUrl("/", true)

            .and()
            .rememberMe()
            .key("superSecretKey")
            .tokenValiditySeconds(18000) //5 ore
            .tokenRepository(tokenRepository())


            .and()
            .logout()
            .logoutSuccessUrl("/")
            .logoutRequestMatcher(new AntPathRequestMatcher("/perform_logout", "GET"))
            .invalidateHttpSession(true)
            .deleteCookies("JSESSIONID")
            .permitAll();
}

我也尝试了这个解决方案,但我得到了 Unknown html tag sec:authorize thymeleaf:

<sec:authorize access="hasAnyAuthority('ANONYMOUS')"><li><a class="dropdown-item" href="login">Login</a></li></sec:authorize>

我还尝试检索已登录用户的名称,但不起作用,就像我没有正在访问该页面的用户的信息

编辑:

我使用了这个“解决方法”,但我不知道这是否是正确的方法:

<li><a th:if="${role == '[ROLE_ANONYMOUS]'}" class="dropdown-item" href="login">Login</a></li>
<li><a th:if="${role == '[ROLE_USER]'}" class="dropdown-item" href="perform_logout">Logout</a></li>
spring spring-boot spring-security thymeleaf spring-thymeleaf
1个回答
0
投票

如果授予的权限是这样的

Granted Authorities=[ROLE_ANONYMOUS]
。 Spring 安全的角色是 
ANONYMOUS

将安全标签更新为

sec:authorize="hasRole('ANONYMOUS')"

或者你可以使用

sec:authorize="hasAuthority('ROLE_ANONYMOUS')"
.

hasRole(String role)
的文档如下。

如果当前主体具有指定角色,则返回 true。

例如,hasRole('admin')

默认情况下,如果提供的角色不以“ROLE_”开头,它将是 添加。这可以通过修改 defaultRolePrefix 来定制 默认WebSecurityExpressionHandler。

参考:Spring security常用内置表达式

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.