+-
java – Spring Security hasAnyRole无法正常工作
我正在使用 Spring安全认证和MongoDB开发应用程序.身份验证方法工作正常,但只能使用ROLE_ADMIN.我需要身份验证的所有方法都注释为:

@PreAuthorize(“hasAnyRole(‘ROLE_ADMIN’,’ROLE_USER’)”)

当我尝试与具有ROLE_USER的用户进行身份验证时,我始终会获得访问拒绝错误.

我的spring安全配置是:

<security:global-method-security pre-post-annotations="enabled" /> <security:http auto-config="true" use-expressions="true"> <intercept-url pattern="/login" access="permitAll" /> <intercept-url pattern="/logout" access="permitAll" /> <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN') and hasRole('ROLE_USER')" /> <security:form-login login-page="/login" default-target-url="/admin/main" authentication-failure-url="/accessdenied" /> <security:logout logout-success-url="/logout" /> <security:session-management> <security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/> </security:session-management> </security:http>

如果我使用:

<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN') and hasRole('ROLE_USER')" />

我对ROLE_ADMIN和ROLE_USER都拒绝访问.

如果我使用:

<intercept-url pattern="/admin/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" />

我可以使用ROLE_ADMIN用户登录,但我无法使用ROLE_USER.

在我的LoginService中我有:

public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException { boolean enabled = true; boolean accountNonExpired = true; boolean credentialsNonExpired = true; boolean accountNonLocked = true; User user = getUserDetail(email); userdetails = new org.springframework.security.core.userdetails.User( user.getEmail(), user.getPwd(), enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, getAuthorities(user.getIsAdmin())); return userdetails; } public List<GrantedAuthority> getAuthorities(Integer role) { List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(); if (role.intValue() == 0) { authList.add(new SimpleGrantedAuthority("ROLE_USER")); } else if (role.intValue() == 1) { authList.add(new SimpleGrantedAuthority("ROLE_ADMIN")); } System.out.println(authList); return authList; }

我错过了什么?

最佳答案
当您遇到此类问题时,请先尝试添加许多System.out.println(或调试日志)以查看您的方法是否正常工作,同时更改:

hasRole('ROLE_ADMIN') and hasRole('ROLE_USER')

对于

hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')

并检查role.intValue()== 0是否使用sysout打印为true.

点击查看更多相关文章

转载注明原文:java – Spring Security hasAnyRole无法正常工作 - 乐贴网