我的数据库中有用户角色表,其中包含'ROLE_ADMIN'和'ROLE_USER'等角色,在applicationContext-security.xml中,我将filterSecurityInterceptor定义为:
<s:filter-chain pattern="/rpc/adminService"
filters="
authenticationProcessingFilter,
filterSecurityInterceptor"/>
<s:filter-chain pattern="/rpc/**"
filters="
concurrentSessionFilter,
httpSessionContextIntegrationFilter,
authenticationProcessingFilter,
rememberMeProcessingFilter,
anonymousProcessingFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
<s:filter-chain pattern="/j_spring_security*"
filters="
concurrentSessionFilter,
httpSessionContextIntegrationFilter,
logoutFilter,
authenticationProcessingFilter,
rememberMeProcessingFilter,
anonymousProcessingFilter" />
<s:filter-chain pattern="/**" filters="none" />
</s:filter-chain-map>
<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="objectDefinitionSource">
<s:filter-invocation-definition-source>
<s:intercept-url pattern="/rpc/userService" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<s:intercept-url pattern="/rpc/adminService**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<s:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
</s:filter-invocation-definition-source>
</property>
</bean>
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
<property name="sessionController" ref="concurrentSessionController" />
<property name="providers">
<list>
<ref bean="rememberMeAuthenticationProvider" />
<ref bean="daoAuthenticationProvider" />
</list>
</property>
</bean>
<bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="accountRepository" />
<property name="passwordEncoder" ref="passwordEncoder" />
</bean>
然而,当我尝试以管理员用户身份访问某些资源时,它被拒绝了,抱怨为:
An Authentication object was not found in the SecurityContext
如何将数据库中定义的角色转换为securityContext识别的角色?
答案 0 :(得分:1)
HttpSessionContextIntegrationFilter的过滤器链中没有/rpc/adminService。当您看到问题时,您还没有说出请求URL是什么,但是如果您访问该确切的URL,则不会为请求提供安全上下文。
Spring Security过滤器链应始终包含此过滤器。
我也会提防你的
<s:filter-chain pattern="/**" filters="none" />
因为与先前模式不匹配的任何内容都没有安全上下文。
答案 1 :(得分:0)
你的配置中有这个吗?
<authentication-manager>
<authentication-provider user-service-ref="accountRepository">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
你看过这个: spring-security-3-database-authentication-with-hibernate
我正在使用它进行简单的测试:
<authentication-manager alias="authenticationManager" >
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query =
"SELECT username, password, CASE Status WHEN 1 THEN 'true' ELSE 'false' END as enabled
FROM User
WHERE username = ?"
authorities-by-username-query=
"SELECT username, CASE role WHEN 1 THEN 'ROLE_USER' WHEN 2 THEN 'ROLE_ADMIN' ELSE 'ROLE_GUEST' END as authorities
FROM User
WHERE username = ?" />
</authentication-provider>
</authentication-manager>