使用自定义AuthenticationProvider的spring安全性提供访问拒绝错误

Question

我试图通过实现AuthenticationProvider在应用程序中使用Spring安全性实现自定义身份验证。身份验证是成功的，用户也具有指定的角色，但我仍然总是获得访问被拒绝的页面。下面是我的密码。我是春季保安的新手。请帮帮忙。提前感谢

Spring-security.xml

​

<form-login 
        login-page="/login"  login-processing-url="/j_spring_security_check"  default-target-url="/welcome" authentication-failure-url="/login?error" 
         />
         <access-denied-handler error-page="/403" />
    <logout logout-success-url="/login?logout"  /> 
     <csrf disabled="true"/>
</http>


<authentication-manager id="dao-auth" erase-credentials="false">
    <authentication-provider ref="customAuthenticationProvider">
    </authentication-provider>
</authentication-manager>

<b:bean id="customAuthenticationProvider" class="com.xom.custom.dataservice.impl.CustomAuthenticationProvider"></b:bean> 

CustomAuthenticationProvider

@Override
public Authentication authenticate(Authentication authentication) throws 
    AuthenticationException {

    String name = authentication.getName();
    String password = authentication.getCredentials().toString();
    final User rasUser;
    try {
        rasUser = checkPrivileges(name, password);
    } catch (NoRASUserLoginException exception) {
        throw new ServiceException(0, "exception while retrieving user data  " + exception);
    } catch (SQLException exception) {
        throw new ServiceException(0, "exception while retrieving user privilages " + name + exception);
    }

    // userValue = (UserDetails) rasUser;
    if (rasUser == null)
        throw new UsernameNotFoundException(name + " not found");

       List<SimpleGrantedAuthority> auths = new 
      java.util.ArrayList<SimpleGrantedAuthority>();
      for (String privilege : rasUser.getPermissions()) {
        if (privilege != null && privilege.equalsIgnoreCase("RReportAdmin")) 
      {
            auths.add(new 
          SimpleGrantedAuthority("ROLES_".concat(privilege)));
        }
    }
    auths = auths.stream().distinct().collect(Collectors.toList());
    authentication = new UsernamePasswordAuthenticationToken(name, password, auths);
    return authentication;
}

Login.jsp

<html>
    <head>
       <title>Login</title>
    </head>
    <body onload='document.loginForm.username.focus();'>
        <h1>Spring Security Custom Login Form (XML)</h1>
         <div id="login-box">
         <h3>Login with Username and Password</h3>

         <form name='loginForm'
         action="<c:url value='/j_spring_security_check' />" method='POST'>

         <table>
            <tr>
                <td>User:</td>
                <td><input type='text' name='username'></td>
            </tr>
            <tr>
                <td>Password:</td>
                <td><input type='password' name='password' /></td>
            </tr>
            <tr>
                <td colspan='2'><input name="submit" type="submit"
                    value="submit" /></td>
            </tr>
        </table>
       </form>
      </div>
     </body>
</html>

日志

2017-11-07 :47:42,212调试o.s.s.w.u.m.AntPathRequestMatcher http-nio-8080-exec-15检查匹配请求：'/admin'；相反'/admin‘2017-11-07 :47:42 214调试o.s.s.a.i.AbstractSecurityInterceptor http-nio-8080-exec-15安全对象: FilterInvocation: URL: /admin；属性:hasRole(‘ROLES_RReportAdmin’) 2017-11-07 03:47:42,214 DEBUG o.s.s.a.i.AbstractSecurityInterceptor http-nio-8080-exec-15以前验证过: rparwee；凭据:受保护；验证:真；详细信息: org.springframework.security.web.authentication.WebAuthenticationDetails@1c07a: RemoteIpAddress: 127.0.0.1；SessionId: EE3501D56ED257409E40A4F8D5F6F794；授予权限: org.springframework.security.web.access.expression.WebExpressionVoter@6102b9a6，：ROLES_RReportAdmin 2017-11-07 03:47:42 216 DEBUG o.s.s.a.v.AffirmativeBased http-nio-8080-exec-15返回：-1 2017-11-07 03:47:42,219跟踪o.s.c.s.AbstractApplicationContext http-nio-8080-exec-15 WebApplicationContext中的命名空间'mvc-dispatcher-servlet'：/admin网址:/admin 2017-11-07 03:47:42 219调试o.s.s.w.a.ExceptionTranslationFilter http-nio-8080-exec-15访问被拒绝(用户不匿名)；委托给org.springframework.security.access.AccessDeniedException:访问在org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~spring-security-core-4.2.3.RELEASE.jar:4.2.3.RELEASE at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~spring-security-4被拒绝。org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~spring-security-web-4.2.3.RELEASE.jar:4.2.3.RELEASE的.2.3.RELEASE.jar:4.2.3.RELEASE

Answer 1

请试着添加

access="permitAll" in Spring-security.xml for login-page="/login"

还有access="hasRole('ROLE_RReportAdmin')“在/welcome中

Answer 2

我犯了错。检查授权前先检查“角色”。在我的例子中，我加入了“角色”。

代码从access="hasRole('ROLES_RReportAdmin')“-url pattern="/admin**”更改为-url pattern="/admin**“access="hasRole('ROLE_RReportAdmin')”。