0

我正在学习使用 Spring Security,并将其集成到 Web 应用程序中。我正在使用 Spring 和 Spring Security 3.1.2 版。

如果我access="ROLE_USER"在安全配置中指定,身份验证正常工作,即我首先收到 401,登录后,我可以访问资源。

<http>
    <http-basic />
    <logout />
    <intercept-url
        pattern="/exports/**"
        access="ROLE_USER" />
</http>

但是,如果我切换到 EL,我的检查将不再起作用:

<http use-expressions="true">
    <http-basic />
    <logout />
    <intercept-url
        pattern="/exports/**"
        access="hasRole('USER')" />
</http>

我以为这两个配置是等价的,但是第二个没有授权查看资源(403错误)。

查看日志:

DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@844f42c6: Principal: org.springframework.security.core.userdetails.User@c052d588: Username: test; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_USER

DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@1a15597, returned: -1

DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler

如果我理解正确,WebExpressionVoter 投票反对我,尽管身份验证有效。

我错过了什么?

4

1 回答 1

1

解决方案很简单:只需添加ROLE_in hasRole(),例如:

access="hasRole('ROLE_USER')"

我被手册第 16.2 节中的一个例子误导了。

于 2012-09-30T22:14:57.980 回答