Question

我有一个Spring应用程序（Spring版本 2.5.6.SEC01 ，Spring Security版本 2.0.5 ），具有以下设置（这基于{{ 3}}）：

在 security-config.xml 文件中，我有以下配置：

<http>
  <!-- Restrict URLs based on role -->
  <intercept-url pattern="/WEB-INF/jsp/login.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/WEB-INF/jsp/header.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/WEB-INF/jsp/footer.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/login*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/index.jsp" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/logoutSuccess*" access="ROLE_ANONYMOUS" />

  <intercept-url pattern="/css/**" filters="none" />
  <intercept-url pattern="/images/**" filters="none" />
  <intercept-url pattern="/**" access="ROLE_ANONYMOUS" />
  <anonymous />
  <form-login login-page="/login.jsp"/>
</http>

<beans:bean id="myUserDetailsService" class="com.example.login.MyUserDetailsService">
  <beans:property name="dataSource" ref="dataSource" />
  <custom-authentication-provider />
</beans:bean>

<authentication-provider user-service-ref="myUserDetailsService" />

定义 com.example.login.MyUserDetailsService 类：

public class MyUserDetailsService extends SimpleJdbcDaoSupport implements UserDetailsService {
  @Override
  public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException,
          DataAccessException {
    logger.info("MyUserDetailsService.loadUserByUsername: Entered method. Username [" + userName + "]");
    ...
  }
}

但我没有看到这个日志行。如何定义自定义UserDetailsService以便设置安全角色？我甚至不需要自定义服务，但在security-config.xml

中有这个

<authentication-provider> <jdbc-user-service data-source-ref="dataSource" />
</authentication-provider>

即使我有用户和权限表，

也没有设置角色。如何设置Spring Security角色？

Answer 1

只需删除<custom-authentication-provider>元素。

您的MyUserDetailsService不是自定义AuthenticationProvider。实际上，您正尝试使用自定义DaoAuthenticationProvider提供默认UserDetailsService。以下是该场景的工作配置示例（我建议您再次使用auto-config）：

<http auto-config = "true">
    <intercept-url pattern="/login.jsp" access="ROLE_ANONYMOUS" />
    ...
    <intercept-url pattern="/**" access="ROLE_USER" />

    <form-login login-page="/login.jsp" default-target-url="/XXX.html" />
</http>

<authentication-provider user-service-ref = "userDetailsService" />

<beans:bean id = "userDetailsService" class = "com.example.MyUserService" />

修改

的web.xml：

... <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> ...

的login.jsp：

... <form method = "POST" action = "<c:url value = "/j_spring_security_check" />"> <table> <tr> <td class = "label">Login:</td> <td><input type = "text" name = "j_username" /></td> </tr> <tr> <td class = "label">Password:</td> <td><input type = "password" name = "j_password" /></td> </tr> <tr> <td colspan = "2"><input type = "submit" value = "Log in" /></td> </tr> </table> </form> ...

Answer 2

我认为authentication-provide标记应附带authentication-manager标记。

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="myUserService" />
</authentication-manager>

希望这有效！

Spring Security - 未调用自定义身份验证提供程序

2 个答案: