此问题在此处已有答案：

Spring Security Role Based Authorization is not working（1个答案）
21天前关闭
我目前正在将应用程序迁移到JDK 17，Apache Tomcat 10.1和Spring Framework 6.0。作为此迁移的一部分，Spring Security框架已迁移到6.1.4。在完成必要的代码和配置更改后，Tomcat应用程序服务器的启动成功，并且能够登录到应用程序。但是，当我试图从应用程序中访问特定的网页时，它会给出403的HTTP响应。
下面是进一步分析问题后得到的一些细节。它是一个GET请求，URL如下：

<base_url>/SwiftWeb/pages/client/client_tab.jsf？sml_current_id=51828371

我检查了Spring Security配置文件（applicationContext-security.xml），并观察到对于此网页，以下是安全配置：

<security:intercept-url pattern="/pages/client/**"
            access="hasAnyRole('BROKERPERSON, BROKERPERSONVIEW, PROCESSOWNER')" />

字符串
以下是Spring Security配置文件的片段，其中配置了不同页面的角色：

<security:http auto-config="true" use-expressions="true" disable-url-rewriting="true">
        <security:form-login login-page="/pages/login.jsf"/>    
        <security:custom-filter position="PRE_AUTH_FILTER"
            ref="preAuthFilter" />
        <security:intercept-url pattern="/pages/client/**"
            access="hasAnyRole('BROKERPERSON, BROKERPERSONVIEW, PROCESSOWNER')" />
        <security:intercept-url pattern="/pages/contacts/**"
            access="hasAnyRole('BROKERPERSON, COMPANYADMIN, BRANCHADMIN, PROCESSOWNER, ACCOUNTANT, PREMIUMFUNDINGUSER, SYSTEM')" />
        <security:intercept-url pattern="/pages/report/**"
            access="permitAll" />
        <security:intercept-url pattern="/pages/home/**"
            access="permitAll" />
        <security:intercept-url pattern="/**/*.jsf" access="permitAll" />
        <security:intercept-url pattern="/**/*.gif" access="permitAll" />
        <security:intercept-url pattern="/**/*.js" access="permitAll" />
        <security:intercept-url pattern="/pages/security/password_update.jsf"
            access="hasAnyRole('ROLE_ANONYMOUS, BROKERPERSON, COMPANYADMIN, BRANCHADMIN, PROCESSOWNER, ACCOUNTANT, PREMIUMFUNDINGUSER, SYSTEM')" /> 
        <security:csrf disabled="true"/>
        <security:headers  >
            <security:frame-options policy="SAMEORIGIN" /> 
            <security:hsts disabled="true"/>
            <security:content-type-options disabled="true"/>
            <security:xss-protection disabled="true"/>
            <security:cache-control disabled="true"/>
        </security:headers>
                
    </security:http>
    
    <!-- User Context bean defined as session scope using aop scoped proxy -->
    <bean id="userContext" class="com.swift.core.security.view.UserContext"
        scope="session">
        <aop:scoped-proxy proxy-target-class="true" />
    </bean>
    <!-- List of request handler(s) beans -->
    <bean id="verifyUserHandler"
        class="com.swift.core.security.common.handlers.VerifyUserRequestHandler" />
    <bean id="userAuthHandler"
        class="com.swift.core.security.common.handlers.UserAuthenticationRequestHandler" />
    <bean id="userAuthDummyHandler"
        class="com.swift.core.security.common.handlers.UserAuthenticationRequestDummyHandler" />
    <bean id="userParamHandler"
        class="com.swift.core.security.common.handlers.UserParameterRequestHandler" />
    <bean id="userWebSecurityExpressionHandler" 
        class="com.swift.core.security.common.handlers.UserWebSecurityExpressionHandler" />
    <bean id="preAuthFilter" class="com.swift.core.security.filter.SwiftPreAuthFilter">
        <property name="checkForPrincipalChanges">
        <value>true</value>
        </property>
        <property name="handlers">
            <!-- List of request handler(s) -->
            <list>
                <ref bean="verifyUserHandler" />
                <ref bean="userAuthHandler" />
            <!--             
                <ref bean="userAuthDummyHandler" />
             -->    
                <ref bean="userParamHandler" />
                <ref bean="userWebSecurityExpressionHandler" />
            </list>
        </property>
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>
    
    <bean id="preauthAuthProvider"
        class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
        <property name="preAuthenticatedUserDetailsService">
            <bean id="userDetailsServiceWrapper"
                class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
                <property name="userDetailsService" ref="preAuthUserDetailsService" />
            </bean>
        </property>
    </bean>
    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider
            ref="preauthAuthProvider">
        </security:authentication-provider>
    </security:authentication-manager>

型
在进一步调试java代码时观察到，在尝试访问此页面时，User Context具有BROKERPERSON和BROKERPERSON以及ROLE_BROKERPERSON和ROLE_BROKERSOWNER的角色和权限。因此，根据我的分析，后端代码在尝试访问页面时具有所需的用户角色和权限，仍然观察到403响应代码。此问题仅针对访问提到特定角色的URL模式进行观察。对于所有访问为全部的URL它工作正常。此外，相同的代码在旧版本中也能正常工作，即JDK 8，Apache Tomcat 8.5，Spring Framework 4.2.x和Spring Security 4.0.x。
作为一种变通方法，我将突出显示的配置从hasAnyRole更改为hasRole，如下所示：

<security:intercept-url pattern="/pages/client/**"
            access="hasRole('BROKERPERSON')" />
<security:intercept-url pattern="/pages/client/**"
            access="hasRole('BROKERPERSONVIEW')" />
<security:intercept-url pattern="/pages/client/**"
            access="hasRole('PROCESSOWNER')" />

型
在此更改后，网页按预期正常工作，并且没有观察到403响应代码。然而，问题仍然是相同的，为什么当使用hasAnyRole时会获得403响应代码。我试图在技术论坛上找到答案，但以前没有看到这种类型的问题报告。请让我知道是否有人以前遇到过类似的问题，并采取措施解决它？