【发布时间】:2018-01-31 07:29:36
【问题描述】:
我已经在我的项目中配置了 Spring Security,并且在使用默认表单时可以按预期工作,隐藏特定页面。但是当我创建自己的登录表单时,用户没有角色,因此页面仍然隐藏,因为我将 XML 配置为仅向经过身份验证的用户显示页面。
我有一个具有 id、用户名、密码、角色属性的实体类(管理员)(我现在不想使用第二个表“角色”)。
我已经阅读了很多教程,其他人建议实体类应该实现 UserDetails 或创建一个实现 UserDetailsService 的 MyUserDetailsService。为什么我需要这样做?
无论如何,我尝试了我阅读的所有内容,但没有得到任何结果。即使我登录,受保护的页面仍然隐藏。我只需要登录的管理员拥有 ROLE_ADMIN(或 ROLE_MODERATOR,因为这些是他们在注册时可以选择的唯一选项),以便他们能够访问受保护的页面(/admin/list)。
我研究了这个链接Spring Security+Hibernate+XML 据我了解,我必须在 spring-security.xml 中更改这些行,如下代码所示:
<authentication-manager>
<authentication-provider user-service-ref="myUserDetailsService" >
</authentication-provider>
</authentication-manager>
那么当我只有一个管理员表并且我只想在登录时授予他们的角色时,我将如何创建 UserDetailsService 的新实现?
谢谢。
管理员类
@Entity
@Table(name="administrator")
public class Administrator {
@Id
@GeneratedValue(strategy=GenerationType.IDENTITY)
@Column(name="administrator_id")
private int id;
@NotNull(message="is required")
@Size(min=6, message="minimum chars 6")
@Size(max=45, message="maximum chars 45")
@Column(name="username")
private String username;
@NotNull(message="is required")
@Size(min=6, message="minimum chars 6")
@Size(max=45, message="maximum chars 45")
@Column(name="password")
private String password;
@Column(name="role")
private String role;
// Class constructor
public Administrator() {
}
// Getters and setters
public int getId() {
return id;
}
public void setId(int id) {
this.id = id;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getRole() {
return role;
}
public void setRole(String role) {
this.role = role;
}
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID"
version="3.1">
<display-name>platform</display-name>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<!-- Listener for multiple xml configuration files -->
<listener>
<listener-
class>org.springframework.web.context.ContextLoaderListener</listener-
class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/platform-servlet.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-
class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value></param-value>
</init-param>
<load-on-startup>1</load-on-startup>
<!-- Turn on async support for servlet -->
<async-supported>true</async-supported>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Add filter for Spring security mapping -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-
class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true" use-expressions="true">
<!-- <intercept-url pattern="/admin/list" access="hasRole('ROLE_ADMIN')" /> -->
<intercept-url pattern="/home/login-page" access="isAnonymous()" />
<intercept-url pattern="/admin/list" access="isAuthenticated()" />
<form-login
login-page="/home/login-page"
default-target-url="/home/main"
authentication-failure-url="/home/login-page"
login-processing-url="/login-process" />
<logout logout-success-url="/home/login-page"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user111" password="pass111" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
【问题讨论】:
-
UserDetailsService 接口用于检索用户相关数据。它有一个名为 loadUserByUsername() 的方法,它根据用户名查找用户实体,并且可以重写以自定义查找用户的过程。请查看链接baeldung.com/spring-security-authentication-with-a-database
标签: xml spring hibernate spring-mvc spring-security