1. 首頁
  2. 問答
  3. 秒:授權不能與自定義角色的工作

秒:授權不能與自定義角色的工作

2016-08-25 94 views
0

我有這樣一些自定義的角色:秒:授權不能與自定義角色的工作

<span sec:authentication="principal.authorities">[MENU_USER, BUTTON_ADD_USER,ROLE_USER, MENU_PRIVILEGE, BUTTON_EDIT_USER]</span> 
 
    <div sec:authorize="hasRole('MENU_USER')"> 
 
     <span>This content is only shown to administrators.</span> 
 
    </div>

時使用「ROLE_USER」,在「跨越」的文本可以正常顯示,但是當使用其他角色,文本無法顯示。然後我爲自定義角色添加'ROLE_'前綴,這又變得正常了。

我嘗試刪除「ROLE_」前綴限制這樣的:

@Bean 
AccessDecisionManager accessDecisionManager() { 
    RoleVoter voter = new RoleVoter(); 
    voter.setRolePrefix(""); 
    List<AccessDecisionVoter<? extends Object>> voters= new ArrayList<>(); 

    voters.add(new WebExpressionVoter()); 
    voters.add(voter); 
    voters.add(new AuthenticatedVoter()); 
    AffirmativeBased decisionManger = new AffirmativeBased(voters); 
    return decisionManger; 
} 

@Override 
protected void configure(HttpSecurity http) throws Exception { 
    http 
     .authorizeRequests() 
      .accessDecisionManager(accessDecisionManager()) 
      .antMatchers("/webjars/**", "/login").permitAll() 
      .anyRequest().authenticated() 
      .and() 
     .formLogin() 
      .loginPage("/login") 
      .permitAll() 
      .loginProcessingUrl("/j_spring_security_check") 
      .usernameParameter("j_username") 
      .passwordParameter("j_password") 
      .defaultSuccessUrl("/home", true) 
      .failureUrl("/test") 
      .and() 

     //logout is  
     .logout() 
      .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) 
      .logoutSuccessUrl("/login?logout") 
     .permitAll(); 
}

它不工作過。任何想法如何刪除強制性的「ROLE_」前綴?

來源

2016-08-25 Cherry Zhang

+0

檢查http://stackoverflow.com/questions/21620076/spring-security-remove-rolevoter-prefix和http://stackoverflow.com/questions/10939792/custom-rolevoter-and-accessing- UserRole的換另外的票檢查 –

回答

0

我的彈簧安全性升級到4.0.3導致的問題。根據該文件Spring security doc

默認情況下,如果所提供的角色不具有「ROLE_」開頭這將是 增加。這可以通過修改 DefaultWebSecurityExpressionHandler上的defaultRolePrefix來定製。

我已將下面的代碼添加到我的SecurityConfig.java中,並且問題已修復。

@Bean 
DefaultWebSecurityExpressionHandler webSecurityExpressionHandler() { 
    DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler(); 
    handler.setDefaultRolePrefix(""); 
    return handler; 
}

後來,我發現從spring security migrating

一個官方補丁可以禁用自動ROLE_使用了BeanPostProcessor 類似於以下前綴:

package sample.role_; 

import org.springframework.beans.BeansException; 
import org.springframework.beans.factory.config.BeanPostProcessor; 
import org.springframework.core.PriorityOrdered; 
import org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource; 
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; 
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler; 
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter; 

public class DefaultRolesPrefixPostProcessor implements BeanPostProcessor, PriorityOrdered { 

@Override 
public Object postProcessAfterInitialization(Object bean, String beanName) 
     throws BeansException { 

    // remove this if you are not using JSR-250 
    if(bean instanceof Jsr250MethodSecurityMetadataSource) { 
     ((Jsr250MethodSecurityMetadataSource) bean).setDefaultRolePrefix(null); 
    } 

    if(bean instanceof DefaultMethodSecurityExpressionHandler) { 
     ((DefaultMethodSecurityExpressionHandler) bean).setDefaultRolePrefix(null); 
    } 
    if(bean instanceof DefaultWebSecurityExpressionHandler) { 
     ((DefaultWebSecurityExpressionHandler) bean).setDefaultRolePrefix(null); 
    } 
    if(bean instanceof SecurityContextHolderAwareRequestFilter) { 
     ((SecurityContextHolderAwareRequestFilter)bean).setRolePrefix(""); 
    } 
    return bean; 
} 

@Override 
public Object postProcessBeforeInitialization(Object bean, String beanName) 
     throws BeansException { 
    return bean; 
} 

@Override 
public int getOrder() { 
    return PriorityOrdered.HIGHEST_PRECEDENCE; 
} 
}

和然後將其定義爲Bean:

@Bean 
public static DefaultRolesPrefixPostProcessor defaultRolesPrefixPostProcessor() { 
    return new DefaultRolesPrefixPostProcessor(); 
}

來源

2016-08-26 02:20:57

相關問題

 相關問題