首页 文章

hasRole()不工作错误Http状态403 - 访问被拒绝

提问于
浏览
0

以下是我的security-config文件中的配置:

<security:http use-expressions="true">
    <security:intercept-url pattern="/adminarea"
        access="hasRole('admin')" />
    <security:intercept-url pattern="/logincheck"
        access="permitAll" />
    <security:intercept-url pattern="/newaccount"
        access="permitAll" />
    <security:intercept-url pattern="/createnewaccount"
        access="permitAll" />
    <security:intercept-url pattern="/home"
        access="isAuthenticated()" />
    <security:intercept-url pattern="/static/**"
        access="permitAll" />
    <security:intercept-url pattern="/" access="permitAll" />
    <security:intercept-url pattern="/**" access="denyAll" />
    <security:form-login login-page="/"
        authentication-failure-url="/?error=true" default-target-url="/home" />
</security:http>

我使用的是spring default login,工作正常 . 但是当我尝试使用 /adminarea 时,我收到 Http Status 403 - Access is denied 错误 . 任何帮助 .

编辑:AuthenticationManager

<security:authentication-manager>
    <security:authentication-provider>
        <security:jdbc-user-service
            data-source-ref="dataSource" />
    </security:authentication-provider>
</security:authentication-manager>

JSP上的代码:

<sec:authentication property="principal"/>
<sec:authorize access="hasRole('admin')">
    <a href="${pageContext.request.contextPath}/adminarea">Admin Area</a>
</sec:authorize>

第一个标签输出如下

rg.springframework.security.core.userdetails.User@6d8e08d5:用户名:zubi@yahoo.com;密码保护];启用:true; AccountNonExpired:true; credentialsNonExpired:true; AccountNonLocked:true;授权机构:admin

第二个标签没有输出 .

2 回答

  • 0

    我假设您已创建以下表格

    create table users(
          username varchar_ignorecase(50) not null primary key,
          password varchar_ignorecase(50) not null,
          enabled boolean not null);
    
      create table authorities (
          username varchar_ignorecase(50) not null,
          authority varchar_ignorecase(50) not null,
          constraint fk_authorities_users foreign key(username) references users(username));
          create unique index ix_auth_username on authorities (username,authority);
    

    在应用程序上下文xml中,上述身份验证管理器配置需要哪些 .

    并且您已将 admin 角色插入 authorities 表中 .

  • 0

    我通过将DB中的角色设置为 ROLE_XXX 或在我的情况下 ROLE_ADMIN 来修复此问题 . 然后使用以下代码:

    安全配置:

    <security:intercept-url pattern="/adminarea"
            access="hasRole('ROLE_ADMIN')" />
    

    JSP:

    <sec:authorize access="hasRole('ROLE_ADMIN')">
        <a href="${pageContext.request.contextPath}/adminarea">Admin Area</a>
    </sec:authorize>
    

    从我的实验到使它工作 . 我想定义的角色需要在 CAPITAL 中,并且应该以 ROLE_ 作为前缀 .

    希望它可以帮助任何人遇到这个问题 .

相关问题