关于Spring Security,我有两个问题。我在网络上做了很多研究,但是答案很肤浅,或者对于我的问题来说太复杂了,导致帮助不多。我试图在我的应用程序中使用Java配置策略(完全无xml)使用Spring Security。
首例
我有一个SecurityConfiguration类,它扩展了WebSecurityConfigurerAdapter。在那里,我已经自动连接了loginService(它实现了UserDetailsService),并且已经将AuthenticationManagerBuilder的UserDetailsService定义为我的LoginService。
当我尝试使用表单登录时,LoginService成功获取了User(根据提供的用户名和密码),但是以某种方式身份验证失败,并且我在浏览器中从Tomcat收到403-Access Denied消息。
第二种情况
为了解决上述问题,我创建了一个自定义AuthenticationProvider并将其注入到SecurityConfiguration中。但是,当我尝试登录时,方法authenticate()甚至无法工作。
有谁可以帮助我吗?先感谢您
SecurityConfiguration类
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{
private final String ADMIN_ROLE = "ADMIN";
private final String EMPLOYEE_ROLE = "EMPLOYEE";
@Autowired
private LoginService loginService;
@Autowired
public void configureGlobal ( AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(loginService);
}
@Override
public void configure( WebSecurity web ) throws Exception {
web.ignoring().antMatchers("/resources/**");
}
@Override
public void configure( HttpSecurity http ) throws Exception {
http
.authorizeRequests()
.antMatchers("/login**", "/doLogin**").permitAll()
.antMatchers("/admin", "/admin/**").hasRole(ADMIN_ROLE)
.anyRequest().authenticated()
.and()
.requiresChannel()
.anyRequest().requiresSecure()
.and()
.formLogin()
.loginPage( "/login" )
.loginProcessingUrl( "/doLogin" )
.defaultSuccessUrl( "/admin" )
.failureUrl( "/login?err=1" )
.usernameParameter( "username" )
.passwordParameter( "password" )
.and()
// This is where the logout page and process is configured. The logout-url is the URL to send
// the user to in order to logout, the logout-success-url is where they are taken if the logout
// is successful, and the delete-cookies and invalidate-session make sure that we clean up after logout
.logout()
.logoutRequestMatcher( new AntPathRequestMatcher( "/logout" ) )
.logoutSuccessUrl( "/login?out=1" )
.deleteCookies( "JSESSIONID" )
.invalidateHttpSession( true )
.and()
// The session management is used to ensure the user only has one session. This isn't
// compulsory but can add some extra security to your application.
.sessionManagement()
.invalidSessionUrl( "/login" )
.maximumSessions( 1 );
}
}
LoginService类
@Service("loginService")
public class LoginService implements UserDetailsService{
@Autowired
private HibernateUserDAO hibernateUserDAO;
@Override
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
User user = new User();
user.setUsername(username);
List<User> result = hibernateUserDAO.get(user);
user = result.get(0);
return user;
}
}
AuthProvider类
@Component("authProvider")
public class AuthProvider implements AuthenticationProvider {
@Autowired
private LoginService loginService;
@Override
public Authentication authenticate(Authentication auth)
throws AuthenticationException {
String username = auth.getName();
String password = auth.getCredentials().toString();
System.out.println(username + " " + password);
UserDetails user = loginService.loadUserByUsername(username);
System.out.println(user);
if(user != null){
Authentication token = new UsernamePasswordAuthenticationToken(username, password, user.getAuthorities());
return token;
}
return null;
}
@Override
public boolean supports(Class<?> arg0) {
// TODO Auto-generated method stub
return false;
}
}
OBS:此处粘贴的SecurityConfiguration没有注入AuthProvider,但是作为信息,configureGlobal方法应该像这样
@Autowired
private AuthProvider authProvider;
@Autowired
public void configureGlobal ( AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider);
}
最佳答案
问题解决了!似乎HttpSecurity的hasRole()方法检查角色是否为“ROLE_”格式(例如“ROLE_ADMIN”),并且我的“授权方”列表仅返回角色名称(例如“ADMIN”)。而已。