【发布时间】:2021-01-11 11:54:01
【问题描述】:
我在使用 Spring Security 时遇到问题,因为当我登录网站时,我无法使用角色 admin 访问 url 这是我的安全配置
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Bean
public PasswordEncoder encoder() {
return new StandardPasswordEncoder("53cr3t");
}
public SecurityConfig(UserDetailsServiceImpl userDetailsService) {
this.userDetailsService = userDetailsService;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.headers().disable();
http.authorizeRequests()
.antMatchers("/").authenticated()
.antMatchers("/rentAppPage/*").hasAuthority("ADMIN")
.antMatchers("/addVehicle").hasRole("ADMIN")
.antMatchers("/getVehicle").hasAuthority("ADMIN")
.antMatchers("/removeVehicle").hasAuthority("ROLE_ADMIN")
.antMatchers("/updateVehicle").hasAuthority("ROLE_ADMIN")
.antMatchers("/allUser").hasAuthority("ROLE_ADMIN")
.antMatchers("/resultGet").hasAuthority("ROLE_ADMIN")
.antMatchers("/addUser").hasAuthority("ROLE_ADMIN")
.antMatchers("/getUser").hasAuthority("ROLE_ADMIN")
.antMatchers("/updateUser").hasAuthority("ROLE_ADMIN")
.antMatchers("/removeUserById").hasAuthority("ROLE_ADMIN")
.antMatchers("/price").permitAll()
.antMatchers("/allScooter").permitAll()
.antMatchers("/allCar").permitAll()
.antMatchers("/allMotorBike").permitAll()
.antMatchers("/allBike").permitAll()
.antMatchers("/distance").permitAll()
.antMatchers("/user").permitAll()
.antMatchers("/rent").permitAll()
.antMatchers("/rent2").permitAll()
.antMatchers("/buy").permitAll()
.antMatchers("/buy2").permitAll()
.antMatchers("/thanks").permitAll()
.antMatchers("/rentAppPage").hasAnyAuthority( "ROLE_ADMIN", "ROLE_USER")
.and()
.formLogin()
.loginPage("/login").permitAll()
.defaultSuccessUrl("/", true);
;
http.sessionManagement()
//.expiredUrl("/sessionExpired.html")
.invalidSessionUrl("/login.html");
}
}
我尝试使用 hasRole、hasAuthority、hasAnyAuthority 但不起作用,只能工作 permittAll 但我不想访问具有角色 user 的用户的某些 url
这是我的登录控制器
@Controller
public class LoginController {
@Resource(name = "sessionObject")
SessionObject sessionObject;
@Autowired
IAuthenticationService authenticationService;
public LoginController(){
}
@RequestMapping(value = "",method = RequestMethod.GET)
public String mainSite(){
return "redirect:login";
}
@RequestMapping(value = "/login",method = RequestMethod.GET)
public String showLoginForm(Model model){
model.addAttribute("userModel",new User());
model.addAttribute("errorMessage","");
return "login";
}
@RequestMapping(value = "/authenticate",method = RequestMethod.POST)
public String authenticateUser(@ModelAttribute("userModel")User user,Model model){
boolean authResult = this.authenticationService.authenticationUser(user);
if(authResult){
System.out.println("logged !!");
this.sessionObject.setUser(user);
return "rentAppPage";
}else{
model.addAttribute("errorMessage","error data!!!");
model.addAttribute("userModel",new User());
return "login";
}
}
@RequestMapping(value = "/rentAppPage", method = RequestMethod.GET)
public String page(Model model) {
if(this.sessionObject.getUser() == null) {
return "redirect:/login";
}
model.addAttribute("username", this.sessionObject.getUser().getUsername());
System.out.println(this.sessionObject.getUser().getUsername());
return "rentAppPage";
}
@RequestMapping(value = "/logout",method = RequestMethod.GET)
public String logout(){
this.sessionObject.setUser(null);
return "redirect:login";
}
我在数据库中有两个用户,一个具有 Admin 角色,第二个具有 USER 角色,但这不起作用 有人能解释一下为什么吗?
【问题讨论】:
-
您能告诉我们数据库中的角色究竟是如何存储的吗??
-
我现在编辑你可以看到我尝试 ROLE_ADMIN 但不起作用,我更改为 ADMIN
-
你应该存储在数据库 ROLE_ADMIN 而不是 ADMIN
-
好的,我更改为 ROLE_ADMIN 并更改了 antMatchers("/addVehicle/*").hasRole("ADMIN") 但我不知道为什么我总是返回登录
-
我必须使用生成密码登录才能使用 Spring Security?
标签: java html spring spring-security