关于Spring Security,我有两个问题。我在网络上做了很多研究,但是答案很肤浅,或者对于我的问题来说太复杂了,导致帮助不多。我试图在我的应用程序中使用Java配置策略(完全无xml)使用Spring Security。

首例
我有一个SecurityConfiguration类,它扩展了WebSecurityConfigurerAdapter。在那里,我已经自动连接了loginService(它实现了UserDetailsS​​ervice),并且已经将AuthenticationManagerBuilder的UserDetailsS​​ervice定义为我的LoginService。

当我尝试使用表单登录时,LoginService成功获取了User(根据提供的用户名和密码),但是以某种方式身份验证失败,并且我在浏览器中从Tomcat收到403-Access Denied消息。

第二种情况
为了解决上述问题,我创建了一个自定义AuthenticationProvider并将其注入到SecurityConfiguration中。但是,当我尝试登录时,方法authenticate()甚至无法工作。

有谁可以帮助我吗?先感谢您

SecurityConfiguration类

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{

private final String ADMIN_ROLE = "ADMIN";
private final String EMPLOYEE_ROLE = "EMPLOYEE";

@Autowired
private LoginService loginService;

@Autowired
public void configureGlobal ( AuthenticationManagerBuilder auth) throws Exception {

    auth.userDetailsService(loginService);
}

@Override
public void configure( WebSecurity web ) throws Exception {

    web.ignoring().antMatchers("/resources/**");
}

@Override
public void configure( HttpSecurity http ) throws Exception {

    http

        .authorizeRequests()
            .antMatchers("/login**", "/doLogin**").permitAll()
            .antMatchers("/admin", "/admin/**").hasRole(ADMIN_ROLE)
            .anyRequest().authenticated()
            .and()
        .requiresChannel()
            .anyRequest().requiresSecure()
            .and()
        .formLogin()
            .loginPage( "/login" )
            .loginProcessingUrl( "/doLogin" )
            .defaultSuccessUrl( "/admin" )
            .failureUrl( "/login?err=1" )
            .usernameParameter( "username" )
            .passwordParameter( "password" )
            .and()

        // This is where the logout page and process is configured. The logout-url is the URL to send
        // the user to in order to logout, the logout-success-url is where they are taken if the logout
        // is successful, and the delete-cookies and invalidate-session make sure that we clean up after logout
        .logout()
            .logoutRequestMatcher( new AntPathRequestMatcher( "/logout" ) )
            .logoutSuccessUrl( "/login?out=1" )
            .deleteCookies( "JSESSIONID" )
            .invalidateHttpSession( true )
            .and()

        // The session management is used to ensure the user only has one session. This isn't
        // compulsory but can add some extra security to your application.
        .sessionManagement()
            .invalidSessionUrl( "/login" )
            .maximumSessions( 1 );
}

}

LoginService类
@Service("loginService")
public class LoginService implements UserDetailsService{

@Autowired
private HibernateUserDAO hibernateUserDAO;

@Override
public UserDetails loadUserByUsername(String username)
        throws UsernameNotFoundException {

    User user = new User();
    user.setUsername(username);

    List<User> result = hibernateUserDAO.get(user);

    user = result.get(0);
    return user;
}
}

AuthProvider类
@Component("authProvider")
public class AuthProvider implements AuthenticationProvider {


@Autowired
private LoginService loginService;


@Override
public Authentication authenticate(Authentication auth)
        throws AuthenticationException {

    String username = auth.getName();
    String password = auth.getCredentials().toString();
    System.out.println(username + " " + password);

    UserDetails user = loginService.loadUserByUsername(username);
    System.out.println(user);
    if(user != null){

        Authentication token = new UsernamePasswordAuthenticationToken(username, password, user.getAuthorities());

        return token;
    }
    return null;
}

@Override
public boolean supports(Class<?> arg0) {
    // TODO Auto-generated method stub
    return false;
}

}

OBS:此处粘贴的SecurityConfiguration没有注入AuthProvider,但是作为信息,configureGlobal方法应该像这样
@Autowired
private AuthProvider authProvider;

@Autowired
public void configureGlobal ( AuthenticationManagerBuilder auth) throws Exception {

    auth.authenticationProvider(authProvider);
}

最佳答案

问题解决了!似乎HttpSecurity的hasRole()方法检查角色是否为“ROLE_”格式(例如“ROLE_ADMIN”),并且我的“授权方”列表仅返回角色名称(例如“ADMIN”)。而已。

09-26 02:58