1. 首頁
  2. 問答
  3. 春季安全認證成功後返回HTTP 403

春季安全認證成功後返回HTTP 403

2017-07-28 151 views
0

我使用的是spring 4.3.10.RELEASE和spring-security 4.2.3.RELEASE
當我嘗試打開/ admin成功認證後,我得到403,但我已經全部需要有關部門,看看tomcat日誌。春季安全認證成功後返回HTTP 403

我的安全配置:

@Configuration 
@EnableWebSecurity 
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 

    private DataSource dataSource; 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http.authorizeRequests() 
       .antMatchers("/resources/**").permitAll() 
       .antMatchers("/admin/**").hasRole("ADMIN") 
       .anyRequest().authenticated().and() 
       .formLogin().loginPage("/login").failureUrl("/login?error").permitAll().and() 
       .logout().logoutUrl("/logout").logoutSuccessUrl("/login?logout") 
       .invalidateHttpSession(true) 
       .logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET")).and() 
       .csrf().and() 
       .exceptionHandling().accessDeniedPage("/403"); 
    } 

    @Autowired 
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { 
     auth.jdbcAuthentication() 
       .dataSource(dataSource) 
       .passwordEncoder(passwordEncoder()) 
       .usersByUsernameQuery("SELECT username, password, enabled FROM app_user WHERE username = ?") 
       .authoritiesByUsernameQuery("SELECT username, role FROM app_user_role WHERE username = ?"); 
    } 

    @Bean 
    public PasswordEncoder passwordEncoder() { 
     return new BCryptPasswordEncoder(); 
    } 

    @Autowired 
    public void setDataSource(DataSource dataSource) { 
     this.dataSource = dataSource; 
    }

我的Tomcat的日誌:

2017-07-28 14:18:15 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/admin'; against '/resources/**' 
2017-07-28 14:18:15 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/admin'; against '/admin/**' 
2017-07-28 14:18:15 DEBUG FilterSecurityInterceptor:219 - Secure object: FilterInvocation: URL: /admin; Attributes: [hasRole('ROLE_ADMIN')] 
2017-07-28 14:18:15 DEBUG FilterSecurityInterceptor:348 - Previously Authenticated: org.springframew[email protected]f9ea146f: Principal: [email protected]: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenti[email protected]: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 9F780DC552AED23804184D55F3F9BF0D; Granted Authorities: ADMIN, USER 
2017-07-28 14:18:15 DEBUG AffirmativeBased:66 - Voter: org.sp[email protected]6e6a7061, returned: -1 
2017-07-28 14:18:15 DEBUG ExceptionTranslationFilter:185 - Access is denied (user is not anonymous); delegating to AccessDeniedHandler 
org.springframework.security.access.AccessDeniedException: Access is denied 
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) 
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) 
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) 
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)

來源

2017-07-28 Svyat

回答

0

解決了!關鍵字是前綴「ROLE_」

@Autowired 
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { 
    auth.jdbcAuthentication() 
      .dataSource(dataSource) 
      .rolePrefix("ROLE_") 
      .passwordEncoder(passwordEncoder()) 
      .usersByUsernameQuery("SELECT username, password, enabled FROM app_user WHERE username = ?") 
      .authoritiesByUsernameQuery("SELECT username, role FROM app_user_role WHERE username = ?"); 
}

來源

2017-07-28 13:05:51 Svyat

相關問題

 相關問題