問題：Spring自定義登錄返回403訪問被拒絕頁面

Question

輸入正確的憑證後，我得到403訪問被拒絕頁面。這裏有一些重要的文件。

彈簧security.xml文件

<security:http auto-config="true" use-expressions="true"> 

<security:intercept-url pattern="/manageIndustry/viewAddIndustryForm" 
    access="hasRole('Recruiter')" /> 


<security:form-login login-page="/login/" 
    default-target-url="/userpage/" 
    authentication-failure-url="/accessdenied" 
    username-parameter="emailId" 
    password-parameter="userPassword" 
    login-processing-url="/j_spring_security_check" 
    always-use-default-target="false" /> 

<security:logout invalidate-session="true" /> 
<security:csrf /> 
</security:http> 

<security:authentication-manager> 
    <security:authentication-provider 
     user-service-ref="LoginService"> 
</security:authentication-provider> 

LoginService.java

@Override 
public UserDetails loadUserByUsername(String emailID) 
     throws UsernameNotFoundException { 
    UserVO userVO=userDAO.getSingleUserByEmailId(emailID); 
    if(userVO==null){ 
     return null; 
    } 
    List<SimpleGrantedAuthority> grantedAuthority=buildSimpleGrantedAuthority(userVO); 
    UserDetails userDetails=new User(userVO.getEmailId(),userVO.getUserPassword(),userVO.getIsActive()== 1 ? true : false,true,true,true,grantedAuthority); 
    return userDetails; 
} 

private List<SimpleGrantedAuthority> buildSimpleGrantedAuthority(
     final UserVO userVO) { 
    List<SimpleGrantedAuthority> grantedAuthorities = new ArrayList<>(); 
    if (userVO.getRoleVO() != null) { 
     grantedAuthorities.add(new SimpleGrantedAuthority(userVO 
       .getRoleVO().getRoleName())); 
    } 
return grantedAuthorities; 
} 

登錄Controller.java

@RequestMapping("/userpage") 
public ModelAndView userpage() { 
    ModelAndView modelAndView = new ModelAndView(); 
    Object principal = SecurityContextHolder.getContext() 
      .getAuthentication().getPrincipal(); 
    log.info(principal); 
    if (principal instanceof UserDetails) { 
     Collection<? extends GrantedAuthority> authorities = ((UserDetails) principal) 
       .getAuthorities(); 
     if (authorities.size() == 1) { 
      final Iterator<? extends GrantedAuthority> iterator = authorities 
        .iterator(); 
      GrantedAuthority grantedAuthority = iterator.next(); 
      if (grantedAuthority.getAuthority().equals("Recruiter")) { 
       IndustryVO industryVO = new IndustryVO(); 
       modelAndView.addObject("industryVO", industryVO); 
       modelAndView.setViewName("addIndustry"); 
       return modelAndView; 
      } 
     } 
    } 
    modelAndView.setViewName("viewIndustry"); 
    return modelAndView; 
} 

IndustryController.java

@RequestMapping("/manageIndustry") 
public class IndustryController { 
@Autowired 
IndustryDAO industryDAO; 

@RequestMapping("/viewAddIndustryForm") 
public ModelAndView viewAddIndustryForm() { 
    Object principal=SecurityContextHolder.getContext().getAuthentication().getPrincipal(); 
    log.info("this is called"); 

    ModelAndView modelAndView = new ModelAndView(); 
    IndustryVO industryVO = new IndustryVO(); 
    modelAndView.addObject("industryVO", industryVO); 
    modelAndView.setViewName("addIndustry"); 
    return modelAndView; 
} 

打開http://localhost:8080/JobPortal/login並輸入正確的憑證後，它將我重定向到addIndustry頁面，考慮default-target-url="/userpage/"和登錄控制器中的代碼。

但是當我嘗試的情況下直接訪問登陸頁面addIndustry即http://localhost:8080/JobPortal/manageIndustry/viewAddIndustryForm它打開登錄頁面，按CONFIGRATION在Spring-Security.xml但即使提供正確的憑據後，我得到HTTP Status 403 - Access is denied

任何幫助將不勝感激。

謝謝。

Answer 1

您使用的是哪種版本的彈簧安全？據我記得在舊版本中，你必須添加前綴「ROLE_」給用戶角色，所以在你的buildSimpleGrantedAuthority你應該這樣做：

private List<SimpleGrantedAuthority> buildSimpleGrantedAuthority(
     final UserVO userVO) { 
    List<SimpleGrantedAuthority> grantedAuthorities = new ArrayList<>(); 
    if (userVO.getRoleVO() != null) { 
     grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_"+userVO 
       .getRoleVO().getRoleName())); 
    } 
return grantedAuthorities; 
}