我正在开发Spring MVC Web应用程序。我想为特定角色实现Spring Security。我有三个角色:用户,管理员和客户。
这是我的代码示例:
context-security.xml
<global-method-security
secured-annotations="enabled" proxy-target-class="true">
</global-method-security>
<http pattern="/resources/**" security="none" />
<http pattern="/javax.faces.resource/**" security="none" />
<http pattern="/img/**" security="none" />
<http pattern="/login*" security="none" />
<http auto-config="true" access-denied-page="/accessDenied.xhtml">
<anonymous enabled='false' />
<intercept-url pattern="/login*"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_ADMIN" />
<intercept-url pattern="/pages/user**"
access="ROLE_USER" />
<intercept-url pattern="/pages/cutomer**"
access="ROLE_CUSTOMER" />
<form-login login-processing-url="/j_spring_security_check"
login-page="/login.xhtml"
authentication-success-handler-ref="customSuccessHandler"
authentication-failure-url="/login" />
<logout logout-url="/logout" logout-success-url="/login"
invalidate-session="true" delete-cookies="JSESSIONID" />
</http>
<beans:bean id="customAuthenticationProvider"
class="com.invetechs.security.CustomAuthenticationProvider" />
<authentication-manager
alias="authenticationManager">
<authentication-provider
ref="customAuthenticationProvider">
</authentication-provider>
</authentication-manager>
HappyfacesUserDetails
public static final class HappyfacesUserDetails implements UserDetails {
private static final long serialVersionUID = 1L;
/** User. */
private User user;
/** Constructor. */
private HappyfacesUserDetails(User user) {
super();
this.user = user;
}
@Override
public boolean isEnabled() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public String getUsername() {
return user.getUserName();
}
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
List<GrantedAuthority> roles = new ArrayList<GrantedAuthority>();
roles.add(new GrantedAuthority() {
private static final long serialVersionUID = 1L;
@Override
public String getAuthority() {
if (user.getId() == -1L)
return "ROLE_ADMIN";
else if (user.getId() == 1L )
return "ROLE_CUSTOMER";
else
return "ROLE_USER";
}
});
return roles;
}
public User getUser() {
return user;
}
}
项目目录
更多详细信息
该项目具有三个主要角色:管理员,用户和客户。每个角色都有权访问目录中包含Web应用程序目录中角色名称的页面。例如:用户角色可以访问目录用户内部的页面,其他角色也可以访问。
在当前情况下,管理员可以访问每个目录,其他角色不能访问应用程序中的任何内容。
我认为我的问题出在context-security
文件中,但是我无法弄清楚问题出在哪里。
答案 0 :(得分:0)
interpect-url
的顺序很重要,请参见Spring Security Reference:
43.1.24
此元素用于定义应用程序感兴趣的URL模式集,并配置应如何处理它们。它用于构造
FilterInvocationSecurityMetadataSource
使用的FilterSecurityInterceptor
。例如,如果需要通过HTTPS访问特定的URL,它还负责配置ChannelProcessingFilter
。当将指定的模式与传入的请求进行匹配时,将按照声明元素的顺序进行匹配。因此,最具体的模式应该放在首位,而最一般的模式应该放在最后。
您修改的配置部分:
<http auto-config="true" access-denied-page="/accessDenied.xhtml">
<anonymous enabled='false' />
<intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/pages/user**" access="ROLE_USER" />
<intercept-url pattern="/pages/cutomer**" access="ROLE_CUSTOMER" />
<intercept-url pattern="/**" access="ROLE_ADMIN" />
<form-login login-processing-url="/j_spring_security_check" login-page="/login.xhtml" authentication-success-handler-ref="customSuccessHandler" authentication-failure-url="/login" />
<logout logout-url="/logout" logout-success-url="/login" invalidate-session="true" delete-cookies="JSESSIONID" />
</http>