Question

在扩展WebSecurityConfigurerAdapter的类中我有这个代码通过url为不同的角色添加安全性。

    http.authorizeRequests().antMatchers(HttpMethod.GET, "/rest/setup/defaultpassword/**").hasRole("USER");
    http.authorizeRequests().antMatchers(HttpMethod.GET, "/rest/setup/commerces/**").hasRole("USER");
    http.authorizeRequests().antMatchers(HttpMethod.GET, "/rest/setup/tax").hasRole("USER");

    http.authorizeRequests().antMatchers("/rest/setup/tax").hasRole("ADMIN");
    http.authorizeRequests().antMatchers("/login").permitAll(); //
    http.authorizeRequests().antMatchers("/rest/**").authenticated();
    http.csrf().disable();
    http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);

    http.formLogin().successHandler(authenticationSuccessHandler);
    http.formLogin().failureHandler(authenticationFailureHandler);
    http.logout().logoutUrl("/logout");
    http.logout().logoutSuccessUrl("/");

当我使用用户角色登录时，我可以访问：/ rest / setup / tax

当我使用管理员角色登录时，我可以访问/ rest / setup / tax

http://localhost:8080/rest/setup/tax 403（禁止）

我搜索只提供get for user角色以及admin one的所有内容。

Answer 1

表AUTHORITIES将有两列，例如用户名，权限，列权限中指定的角色应该带有前缀ROLE_，例如ROLE_ADMIN＆amp; ROLE_USER。因此，您的代码应指定hasRole("ROLE_USER")和hasRole("ROLE_ADMIN")

<强>更新

RoleVoter.java

https://github.com/spring-projects/spring-security/blob/master/core/src/main/java/org/springframework/security/access/vote/RoleVoter.java

关于ROLE_前缀

Spring security added prefix "ROLE_" to all roles name?

带角色的url安全问题

1 个答案: