http.authorizeRequests().antMatchers("/dms**").access("hasAnyRole('admin','dms')");
用户应具有 admin 或 dms 角色才能导航到该页面。 我以管理员身份登录。
从日志中我可以看到角色匹配正确(数据库角色和登录用户角色)
Granted Authorities: admin
但我仍然可以看到访问被拒绝。有什么线索吗? 完整日志在这里
2016-11-10 16:41:46 DEBUG AntPathRequestMatcher:157 - Checking match of
request : '/dms.jsp'; against '/dms**'
2016-11-10 16:41:46 DEBUG FilterSecurityInterceptor:219 - Secure object: FilterInvocation: URL: /dms.jsp; Attributes: [hasAnyRole('admin','dms')]
2016-11-10 16:41:46 DEBUG FilterSecurityInterceptor:348 - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@9546: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: admin; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: LVXYO0lvcLRvJFcH9pJO_kO2R5B7ha4LLm3DwZ7m; Granted Authorities: admin
2016-11-10 16:41:46 DEBUG AffirmativeBased:66 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@7ade02ad, returned: -1
2016-11-10 16:41:46 DEBUG ExceptionTranslationFilter:186 - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
只需在可用角色前面添加“ROLE_”前缀即可解决该问题。 不知道为什么 spring 不允许自己的角色
我也有同样的问题。这个解决方案也对我有用:“只需在可用角色中添加“ROLE_”前缀即可解决问题。”。