1. 首頁
  2. 問答
  3. 春季安全獲取403錯誤

春季安全獲取403錯誤

2017-04-23 128 views
1

在我的應用程序中,我試圖給予用戶「/ user/**」權限和「/ admin/**」權限,但是我得到了403錯誤。春季安全獲取403錯誤

我使用彈簧啓動1.5.3

安全配置類:

package com.alokpanda.security.config; 

import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.context.annotation.Configuration; 
import org.springframework.core.annotation.Order; 
import org.springframework.security.authentication.AuthenticationProvider; 
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; 
import org.springframework.security.config.annotation.web.builders.HttpSecurity; 
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; 

@Configuration 
@Order(1) 
public class WebSecurityConfigure extends WebSecurityConfigurerAdapter { 

    @Autowired 
    private AuthenticationProvider authenticationProvider; 

    @Autowired 
     public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { 
      auth 
      .authenticationProvider(authenticationProvider); 
    } 



    @Override 
     protected void configure(HttpSecurity http) throws Exception { 

        http.authorizeRequests() 
      .antMatchers("/", "/login", "/logout").permitAll() 
      .antMatchers("/admin/**").hasRole("ADMIN") 
      .antMatchers("/user/**").hasRole("USER") 
      .anyRequest().authenticated() 
      .and() 
      .formLogin() 
      .loginPage("/login") 
      .usernameParameter("username") 
      .passwordParameter("password") 
      .loginProcessingUrl("/login")  
      .failureUrl("/") 
      .and() 
      .logout() 
      //.logoutRequestMatcher(new AntPathRequestMatcher("/logout")) 
      .logoutUrl("/logout") 
      .logoutSuccessUrl("/") 
      .and() 
      .csrf() 
      .disable(); 
     } 

}

Authencation提供商類:

package com.alokpanda.security.impl; 

import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.security.authentication.AuthenticationProvider; 
import org.springframework.security.authentication.BadCredentialsException; 
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; 
import org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider; 
import org.springframework.security.core.Authentication; 
import org.springframework.security.core.AuthenticationException; 
import org.springframework.security.core.userdetails.UserDetails; 
import org.springframework.stereotype.Service; 

import com.alokpanda.security.service.CustomUserDetailsService; 

@Service 
public class AuthenticationProviderImpl extends AbstractUserDetailsAuthenticationProvider { 

    @Autowired 
    private CustomUserDetailsService customUserDetailsService; 

    @Override 
    protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken token) 
      throws AuthenticationException { 
     System.out.println(userDetails.getUsername()); 
     System.out.println(userDetails.getPassword()); 
     System.out.println(token.getCredentials()); 
     System.out.println(token.getCredentials().equals(userDetails.getPassword())); 
     System.out.println(userDetails.getAuthorities()); 
      if(userDetails.getUsername() == null || token.getCredentials() == null) { 
      throw new BadCredentialsException("Credential may not be null."); 
     } 

     if(!token.getCredentials().equals(userDetails.getPassword())) { 
      System.out.println("Err"); 
      throw new BadCredentialsException("Invalid Credentials."); 
     } 

    } 

    @Override 
    protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken token) 
      throws AuthenticationException { 
     UserDetails userDetails = customUserDetailsService.loadUserByUsername(username); 
     return userDetails; 
    } 

}

的UserDetailsS​​ervice類:

package com.alokpanda.security.service; 

import java.util.ArrayList; 
import java.util.List; 

import org.springframework.beans.factory.annotation.Autowired; 
import org.springframework.security.core.GrantedAuthority; 
import org.springframework.security.core.authority.SimpleGrantedAuthority; 
import org.springframework.security.core.userdetails.UserDetails; 
import org.springframework.security.core.userdetails.UserDetailsService; 
import org.springframework.security.core.userdetails.UsernameNotFoundException; 
import org.springframework.stereotype.Service; 

import com.alokpanda.model.User; 
import com.alokpanda.model.UserRole; 
import com.alokpanda.repository.UserRepository; 

@Service 
public class CustomUserDetailsService implements UserDetailsService { 

    @Autowired 
    private UserRepository userRepository; 

    @Override 
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { 
     User user = userRepository.findByUsername(username); 
     List<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>(); 

     for(UserRole userRole : user.getUserRole()) { 
      grantedAuthorities.add(new SimpleGrantedAuthority(userRole.getRole())); 
     } 

     UserDetails userDetails = (UserDetails) new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), grantedAuthorities); 
     return userDetails; 
    } 

}

來源

2017-04-23 alok panda

回答

0

默認情況下,彈簧安全性爲您的角色添加ROLE_前綴。

將角色保存爲您的數據庫中的ROLE_USERROLE_ADMIN

來源

2017-04-23 07:38:34 Tom

+0

在彈簧啓動過程中出現錯誤「角色不應該以'ROLE_'開頭,因爲它會自動插入。'ROLE_ADMIN'」 –

+0

然後在數據庫中,嘗試將角色保存爲ROLE_USER和ROLE_ADMIN – Tom

相關問題

 相關問題