+-

我正在使用 Spring安全认证和MongoDB开发应用程序.身份验证方法工作正常,但只能使用ROLE_ADMIN.我需要身份验证的所有方法都注释为:
@PreAuthorize(“hasAnyRole(‘ROLE_ADMIN’,’ROLE_USER’)”)
当我尝试与具有ROLE_USER的用户进行身份验证时,我始终会获得访问拒绝错误.
我的spring安全配置是:
<security:global-method-security pre-post-annotations="enabled" /> <security:http auto-config="true" use-expressions="true"> <intercept-url pattern="/login" access="permitAll" /> <intercept-url pattern="/logout" access="permitAll" /> <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN') and hasRole('ROLE_USER')" /> <security:form-login login-page="/login" default-target-url="/admin/main" authentication-failure-url="/accessdenied" /> <security:logout logout-success-url="/logout" /> <security:session-management> <security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/> </security:session-management> </security:http>如果我使用:
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN') and hasRole('ROLE_USER')" />我对ROLE_ADMIN和ROLE_USER都拒绝访问.
如果我使用:
<intercept-url pattern="/admin/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" />我可以使用ROLE_ADMIN用户登录,但我无法使用ROLE_USER.
在我的LoginService中我有:
public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException { boolean enabled = true; boolean accountNonExpired = true; boolean credentialsNonExpired = true; boolean accountNonLocked = true; User user = getUserDetail(email); userdetails = new org.springframework.security.core.userdetails.User( user.getEmail(), user.getPwd(), enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, getAuthorities(user.getIsAdmin())); return userdetails; } public List<GrantedAuthority> getAuthorities(Integer role) { List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(); if (role.intValue() == 0) { authList.add(new SimpleGrantedAuthority("ROLE_USER")); } else if (role.intValue() == 1) { authList.add(new SimpleGrantedAuthority("ROLE_ADMIN")); } System.out.println(authList); return authList; }我错过了什么?
最佳答案
当您遇到此类问题时,请先尝试添加许多System.out.println(或调试日志)以查看您的方法是否正常工作,同时更改:
hasRole('ROLE_ADMIN') and hasRole('ROLE_USER')
对于
hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')并检查role.intValue()== 0是否使用sysout打印为true.
点击查看更多相关文章
转载注明原文:java – Spring Security hasAnyRole无法正常工作 - 乐贴网