这个问题在这里已有答案:
我在Spring Boot应用程序中使用Spring Security,似乎Thymeleaf授权无法正常工作 .
我有Thymeleaf模板,代码如下:
<div class="container">
<div class="row" sec:authorize="isAuthenticated()">
<h2 style="color:green">User is Logged In</h2>
<p sec:authentication="principal.username">username</p>
</div>
<div class="row" sec:authorize="!isAuthenticated()">
<h2 style="color:red">User is Logged Out</h2>
</div>
<div class="row" sec:authorize="hasRole('ROLE_SUPERUSER')">
<h2>This will only be displayed if authenticated user has role ROLE_SUPERUSER.</h2>
</div>
<div class="row" sec:authorize="hasRole('ROLE_ADMIN')">
<h2>This will only be displayed if authenticated user has role ROLE_ADMIN.</h2>
</div>
<div class="row" sec:authorize="hasRole('ROLE_USER')">
<h2>This will only be displayed if authenticated user has role ROLE_USER.</h2>
</div>
<div th:if="${#authorization.expression('hasRole(''ROLE_ADMIN'')')}">
This will only be displayed if authenticated user has role ROLE_ADMIN.
</div>
<div th:if="${#authorization.expr('hasRole(''ROLE_ADMIN'')')}">
This will only be displayed if authenticated user has role ROLE_ADMIN.
</div>
</div>
示例来自:https://github.com/thymeleaf/thymeleaf-extras-springsecurity
但是,显示的唯一内容是 sec:authorize="isAuthenticated()"
和 sec:authorize="!isAuthenticated()"
,无论用户的角色如何,都会忽略授权 .
我的百里香配置是:
@Configuration
public class ThymeleafConfig {
@Bean
public TemplateResolver defaultTemplateResolver() {
TemplateResolver resolver = new TemplateResolver();
resolver.setResourceResolver(thymeleafResourceResolver());
resolver.setPrefix("classpath:/templates/");
resolver.setSuffix(".html");
resolver.setTemplateMode("HTML5");
resolver.setCharacterEncoding("UTF-8");
resolver.setCacheable(true);
return resolver;
}
@Bean
public SpringResourceResourceResolver thymeleafResourceResolver() {
return new SpringResourceResourceResolver();
}
@Bean
public SpringTemplateEngine templateEngine(TemplateResolver templateResolver) {
SpringTemplateEngine engine = new SpringTemplateEngine();
engine.setTemplateResolver(templateResolver);
engine.addDialect(new SpringSecurityDialect());
engine.addDialect(new LayoutDialect());
return engine;
}
@Bean
public ThymeleafViewResolver thymeleafViewResolver(SpringTemplateEngine templateEngine) {
ThymeleafViewResolver resolver = new ThymeleafViewResolver();
resolver.setTemplateEngine(templateEngine);
resolver.setCharacterEncoding("UTF-8");
resolver.setContentType("text/html");
resolver.setOrder(Ordered.LOWEST_PRECEDENCE - 5);
return resolver;
}
}
我对thymeleaf-extras-springsecurity4使用以下依赖项:
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
<version>2.1.3.RELEASE</version>
</dependency>
版本 3.0.2.RELEASE
根本不起作用,并且Thymeleaf总是忽略 sec
名称空间 .
我的Spring Boot版本是 1.5.2.RELEASE
.
可能是什么原因?
UPDATE. SecurityConfig
中的 configure(HttpSecurity http)
方法如下所示:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().ignoringAntMatchers("/h2-console").disable()
.authorizeRequests()
.antMatchers("/webjars/**", "/static/**", "/images/**", "/**/favicon.ico").permitAll()
.antMatchers("/heat/**", "/power/**", "/water/**").permitAll()
// start allowing h2-console
.antMatchers("/h2-console/**").permitAll();
http.csrf().disable();
http.headers().frameOptions().disable()
// end allowing h2-console
.and().authorizeRequests().antMatchers("/info").permitAll()
.and().authorizeRequests().antMatchers("/users/**").authenticated()
.and().authorizeRequests().antMatchers("/users/**").hasAnyAuthority("ADMIN", "SUPERUSER")
.and().formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.deleteCookies("remove")
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.invalidateHttpSession(true)
.and().exceptionHandling().accessDeniedPage("/access_denied");
}
并且 IndexController
的映射非常简单,它只返回 login
模板:
@RequestMapping("/login")
public String loginForm() {
return "login";
}
3 回答
解决任务的另一种方法是使用此语法来检查角色:
它不使用
sec
命名空间,实际上根本不需要使用thymeleaf-extras-springsecurity4依赖 .经过不同配置的大量尝试后,我找到了一种解决方法 . 在这种情况下
sec:authorize="hasAuthority('ADMIN')"
属性有效:和
User Has Authority Admin
页面上的 Headers 呈现 .仍然不知道为什么
sec:authorize="hasRole('ROLE_ADMIN')"
属性不起作用,因为它建议在thymeleaf-extras-springsecurity
GitHub页面上作为示例:https://github.com/thymeleaf/thymeleaf-extras-springsecurity#using-the-attributes希望这可以帮助某人,尽管问题仍然存在 .
要尝试的事情:
1)使用
@EnableWebMvc
注释您的配置 .2)将
ROLE_ADMIN
替换为ADMIN
(以及其他相应的) .3)在您的控制器中,打印此以查看您当前的角色:
如果这对您不起作用,也许可以从
HttpServletRequest
尝试getUserPrincipal()
.Short of that:
我包含我的MVC配置,以便您可以尝试最新的Thymeleaf和Spring Security版本 . 这里有一些额外的配置,因此您可以删除与项目无关的内容 .
工作pom摘录: