我想显示一个标记为登录到一个匿名用户和一个标记为注销tu认证的用户有ROLE_USER im使用sec:授权,但它不做任何事情,不给予我错误只是不工作。
这是我的pom:
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.32</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webflux</artifactId>
</dependency>
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.10.1</version>
</dependency>
<dependency>
<groupId>io.projectreactor.netty</groupId>
<artifactId>reactor-netty-http</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.thymeleaf</groupId>
<artifactId>thymeleaf-spring5</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
</dependency>
<dependency>
<groupId>com.unboundid</groupId>
<artifactId>unboundid-ldapsdk</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.hibernate.validator</groupId>
<artifactId>hibernate-validator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>如果我打印了principal,我得到了这个:
AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]并且对于认证:
UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=Balza, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=A2C735A0D12E494E89DC72BB9BAD7119], Granted Authorities=[ROLE_USER]]Thymeleaf页面有:
<html xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity5" lang="it">而sec:authorize是:
<li sec:authorize="hasRole('ROLE_ANONYMOUS')"><a class="dropdown-item" href="login">Login</a></li>
<li sec:authorize="hasRole('ROLE_USER')"><a class="dropdown-item" href="perform_logout">Logout</a></li>安全配置:
@Override
protected void configure (final HttpSecurity http) throws Exception{
http
.authorizeRequests()
.antMatchers("/anonymus*").anonymous() //role anonymus
.antMatchers("/login*").permitAll()
.antMatchers("/static/**").permitAll() //resources
.antMatchers("/addAuthors").hasRole("USER")
.antMatchers("/*").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/perform_login")
.failureUrl("/login?error=true")
.permitAll()
.defaultSuccessUrl("/", true)
.and()
.rememberMe()
.key("superSecretKey")
.tokenValiditySeconds(18000) //5 ore
.tokenRepository(tokenRepository())
.and()
.logout()
.logoutSuccessUrl("/")
.logoutRequestMatcher(new AntPathRequestMatcher("/perform_logout", "GET"))
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
.permitAll();
}我也尝试了这个解决方案,但我得到了未知的html标签sec:authorize thymeleaf:
<sec:authorize access="hasAnyAuthority('ANONYMOUS')"><li><a class="dropdown-item" href="login">Login</a></li></sec:authorize>我还试图检索登录用户的名称,但不工作,它就像我没有访问该页面的用户的信息
编辑:
我使用了这个“变通方法”,但我不知道这是否是一个正确的方法:
<li><a th:if="${role == '[ROLE_ANONYMOUS]'}" class="dropdown-item" href="login">Login</a></li>
<li><a th:if="${role == '[ROLE_USER]'}" class="dropdown-item" href="perform_logout">Logout</a></li>
1条答案
按热度按时间doinxwow1#
如果授予的权限是这样的
Granted Authorities=[ROLE_ANONYMOUS]。Spring安全性的一个角色是ANONYMOUS。将安全标记更新为
sec:authorize="hasRole('ANONYMOUS')"或者您可以使用
sec:authorize="hasAuthority('ROLE_ANONYMOUS')"。hasRole(String role)的文档如下。如果当前主体具有指定的角色,则返回true。
例如,hasRole('admin')
默认情况下,如果提供的角色不是以“ROLE_”开头,则将添加该角色。这可以通过修改DefaultWebSecurityExpressionHandler上的defaultRolePrefix来自定义。
参考:Spring security common build-in expressions