我编写了一个使用Spring安全性的Spring bot Web应用程序 . 我有2个链接,由两个不同的人群使用 . 所以我分别为用户和管理员创建了三个活动目录组 . 我的问题是其中一个人中的人能够访问该应用程序,但这两个组的其余部分无法访问该应用程序 . 它表示没有权限查看该页面 .
My login configuration is
@Configuration
@EnableWebMvcSecurity
@ComponentScan("com.books.controller")
public class LoginConfiguration extends WebSecurityConfigurerAdapter
{
@Override
protected void configure(HttpSecurity http) throws Exception
{
http
.authorizeRequests()
.antMatchers("/")
.hasAuthority("BookAdmin")
.and()
.authorizeRequests()
.antMatchers("/rentBook")
.hasAuthority("RentalBook")
.and()
.authorizeRequests()
.antMatchers("/buybook")
.hasAuthority("BuyBook")
.and()
.authorizeRequests()
.antMatchers("/rentBook")
.hasAuthority("BookAdmin")
.and()
.authorizeRequests()
.antMatchers("/buyBook")
.hasAuthority("BookAdmin")
and().authorizeRequests().and().formLogin().loginProcessingUrl("/login")
.and().logout().permitAll()
.and().csrf().disable()
;
http.headers().frameOptions().disable();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
{
auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
}
@Bean
public AuthenticationManager authenticationManager() {
return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
}
@Bean
public ActiveDirectoryLdapAuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider("xxx.klc", "ldap://klcdc03");
provider.setConvertSubErrorCodesToExceptions(true);
provider.setUseAuthenticationRequestCredentials(true);
return provider;
}
}
请在下面找到我的 Controller class . 它在我的本地机器上运行完美 . 但是,当部署在服务器中时,它仅适用于BookAdmin组 . 我没有在任何属性文件中列出这些组
package com.tgw.gift.info.controller;
@Controller
public class LoginController {
@RequestMapping("/")
public String home(Model model, Authentication principal)
{
Set<String> authorities=listAuthorties(principal);
if(authorities.contains("BookAdmin"))
{
return "index";
} else {
return "fail";
}
}
private Set<String> listAuthorties(Authentication principal)
{
Set<String> set = new HashSet<String>();
for(GrantedAuthority s: principal.getAuthorities()){
set.add(s.getAuthority());
}
return set;
}
@RequestMapping("/buyBook")
public String printDetails(Model model, Authentication principal){
Set<String> authorities=listAuthorties(principal);
if(authorities.contains("BuyBook"))
{
return "buyBook";
} else if(authorities.contains("BookAdmin")){
return "buyBook";
} else{
return "fail";
}
}
@RequestMapping("/rentBook")
public String printDetails(Model model, Authentication principal){
Set<String> authorities=listAuthorties(principal);
if(authorities.contains("RentalBook"))
{
return "rentBook";
} else if(authorities.contains("RentalAdmin")){
return "rentBook";
} else{
return "fail";
}
}
}
also this works fine when run locally, but not in server.
1 回答
每个URL只需要一个
authorizeRequests
和一个antmatcher
: