Spring Security

Question

我正在开发一个使用SS进行角色管理的for应用程序。当我尝试以管理员身份登录时，它工作得很好，但问题是当我想以用户身份登录时，它也会这样做，这是我不想成为的东西。有什么想法请提出来

这是我的安全性-cpntext.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans 
                http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                http://www.springframework.org/schema/security 
                http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<!-- We will be defining all security related configurations in this file -->
<http pattern="/login" security="none" />

<http use-expressions="true" >
        <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/login" access="permitAll" />  
        <intercept-url pattern="/index" access="hasRole('Admin')"/>
        <form-login login-page="/login" default-target-url="/index" authentication-failure-url="/login"/> <!-- We will just use the built-in form login page in Spring -->
        <access-denied-handler error-page="/login" />
        <!-- <intercept-url pattern="/**" access="isAuthenticated()"/>  --><!--   this means all URL in this app will be checked if user is authenticated -->
        <logout logout-url="/logout" logout-success-url="/index"/> <!-- the logout url we will use in JSP -->
</http>

<beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <beans:property name="userDetailsService" ref="userDetailsService" ></beans:property>

</beans:bean>

<beans:bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <beans:property name="providers">
        <beans:list>
            <beans:ref local="daoAuthenticationProvider"/>
        </beans:list>
    </beans:property>
</beans:bean>

<authentication-manager>
    <authentication-provider user-service-ref="userDetailsService">
        <password-encoder hash="md5"></password-encoder>
    </authentication-provider>
</authentication-manager>

​

Answer 1

我可以在这里看到两个可能导致问题的潜在问题。

1)您正在为/index指定hasRole('Admin')。如果角色名为Admin，那么您应该指定hasRole('ROLE_Admin')。

2)您的配置中存在重复项。<authentication-manager>告诉Spring security创建一个ProviderManager实例。因此，您已经声明了这一点，但是您还手动地将ProviderManager指定为复制<authentication-manager>所做的事情的bean实例。删除以下内容：

<beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <beans:property name="userDetailsService" ref="userDetailsService" ></beans:property>

</beans:bean>

<beans:bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <beans:property name="providers">
        <beans:list>
            <beans:ref local="daoAuthenticationProvider"/>
        </beans:list>
    </beans:property>
</beans:bean>

然后离开：

<authentication-manager>
    <authentication-provider user-service-ref="userDetailsService">
        <password-encoder hash="md5"></password-encoder>
    </authentication-provider>
</authentication-manager>

试一试，看看你会得到什么。