Spring security expression sec:authorize dont work

ca1c2owp  于 2023-09-29  发布在  Spring
关注(0)|答案(1)|浏览(119)

我想显示一个标记为登录到一个匿名用户和一个标记为注销tu认证的用户有ROLE_USER im使用sec:授权,但它不做任何事情,不给予我错误只是不工作。
这是我的pom:

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>

    <dependency>
        <groupId>mysql</groupId>
        <artifactId>mysql-connector-java</artifactId>
        <version>8.0.32</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webflux</artifactId>
    </dependency>

    <dependency>
        <groupId>com.google.code.gson</groupId>
        <artifactId>gson</artifactId>
        <version>2.10.1</version>
    </dependency>
    <dependency>
        <groupId>io.projectreactor.netty</groupId>
        <artifactId>reactor-netty-http</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-tomcat</artifactId>
        <scope>provided</scope>
    </dependency>

    <dependency>
        <groupId>org.thymeleaf</groupId>
        <artifactId>thymeleaf-spring5</artifactId>
    </dependency>


    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>

    <dependency>
        <groupId>org.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-springsecurity5</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-taglibs</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.ldap</groupId>
        <artifactId>spring-ldap-core</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-ldap</artifactId>
    </dependency>

    <dependency>
        <groupId>com.unboundid</groupId>
        <artifactId>unboundid-ldapsdk</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-test</artifactId>
        <scope>test</scope>
    </dependency>

    <dependency>
        <groupId>org.hibernate.validator</groupId>
        <artifactId>hibernate-validator</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>
</dependencies>

<build>
    <plugins>
        <plugin>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
        </plugin>
    </plugins>
</build>

如果我打印了principal,我得到了这个:

AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]

并且对于认证:

UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=Balza, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=A2C735A0D12E494E89DC72BB9BAD7119], Granted Authorities=[ROLE_USER]]

Thymeleaf页面有:

<html xmlns:th="http://www.thymeleaf.org"
  xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity5" lang="it">

而sec:authorize是:

<li sec:authorize="hasRole('ROLE_ANONYMOUS')"><a class="dropdown-item" href="login">Login</a></li>
<li sec:authorize="hasRole('ROLE_USER')"><a class="dropdown-item" href="perform_logout">Logout</a></li>

安全配置:

@Override
protected void configure (final HttpSecurity http) throws Exception{

    http
            .authorizeRequests()
            .antMatchers("/anonymus*").anonymous() //role anonymus
            .antMatchers("/login*").permitAll()
            .antMatchers("/static/**").permitAll() //resources
            .antMatchers("/addAuthors").hasRole("USER")
            .antMatchers("/*").permitAll()
            .anyRequest().authenticated()

            .and()
            .formLogin()
            .loginPage("/login")
            .loginProcessingUrl("/perform_login")
            .failureUrl("/login?error=true")
            .permitAll()
            .defaultSuccessUrl("/", true)

            .and()
            .rememberMe()
            .key("superSecretKey")
            .tokenValiditySeconds(18000) //5 ore
            .tokenRepository(tokenRepository())

            .and()
            .logout()
            .logoutSuccessUrl("/")
            .logoutRequestMatcher(new AntPathRequestMatcher("/perform_logout", "GET"))
            .invalidateHttpSession(true)
            .deleteCookies("JSESSIONID")
            .permitAll();
}

我也尝试了这个解决方案,但我得到了未知的html标签sec:authorize thymeleaf:

<sec:authorize access="hasAnyAuthority('ANONYMOUS')"><li><a class="dropdown-item" href="login">Login</a></li></sec:authorize>

我还试图检索登录用户的名称,但不工作,它就像我没有访问该页面的用户的信息
编辑:
我使用了这个“变通方法”,但我不知道这是否是一个正确的方法:

<li><a th:if="${role == '[ROLE_ANONYMOUS]'}" class="dropdown-item" href="login">Login</a></li>
<li><a th:if="${role == '[ROLE_USER]'}" class="dropdown-item" href="perform_logout">Logout</a></li>
doinxwow

doinxwow1#

如果授予的权限是这样的Granted Authorities=[ROLE_ANONYMOUS]。Spring安全性的一个角色是ANONYMOUS
将安全标记更新为
sec:authorize="hasRole('ANONYMOUS')"
或者您可以使用
sec:authorize="hasAuthority('ROLE_ANONYMOUS')"
hasRole(String role)的文档如下。
如果当前主体具有指定的角色,则返回true。
例如,hasRole('admin')
默认情况下,如果提供的角色不是以“ROLE_”开头,则将添加该角色。这可以通过修改DefaultWebSecurityExpressionHandler上的defaultRolePrefix来自定义。
参考:Spring security common build-in expressions

相关问题