此问题在此处已有答案:
Spring Security Role Based Authorization is not working(1个答案)
21天前关闭
我目前正在将应用程序迁移到JDK 17,Apache Tomcat 10.1和Spring Framework 6.0。作为此迁移的一部分,Spring Security框架已迁移到6.1.4。在完成必要的代码和配置更改后,Tomcat应用程序服务器的启动成功,并且能够登录到应用程序。但是,当我试图从应用程序中访问特定的网页时,它会给出403的HTTP响应。
下面是进一步分析问题后得到的一些细节。它是一个GET请求,URL如下:
<base_url>/SwiftWeb/pages/client/client_tab.jsf?sml_current_id=51828371
我检查了Spring Security配置文件(applicationContext-security.xml),并观察到对于此网页,以下是安全配置:
<security:intercept-url pattern="/pages/client/**"
access="hasAnyRole('BROKERPERSON, BROKERPERSONVIEW, PROCESSOWNER')" />字符串
以下是Spring Security配置文件的片段,其中配置了不同页面的角色:
<security:http auto-config="true" use-expressions="true" disable-url-rewriting="true">
<security:form-login login-page="/pages/login.jsf"/>
<security:custom-filter position="PRE_AUTH_FILTER"
ref="preAuthFilter" />
<security:intercept-url pattern="/pages/client/**"
access="hasAnyRole('BROKERPERSON, BROKERPERSONVIEW, PROCESSOWNER')" />
<security:intercept-url pattern="/pages/contacts/**"
access="hasAnyRole('BROKERPERSON, COMPANYADMIN, BRANCHADMIN, PROCESSOWNER, ACCOUNTANT, PREMIUMFUNDINGUSER, SYSTEM')" />
<security:intercept-url pattern="/pages/report/**"
access="permitAll" />
<security:intercept-url pattern="/pages/home/**"
access="permitAll" />
<security:intercept-url pattern="/**/*.jsf" access="permitAll" />
<security:intercept-url pattern="/**/*.gif" access="permitAll" />
<security:intercept-url pattern="/**/*.js" access="permitAll" />
<security:intercept-url pattern="/pages/security/password_update.jsf"
access="hasAnyRole('ROLE_ANONYMOUS, BROKERPERSON, COMPANYADMIN, BRANCHADMIN, PROCESSOWNER, ACCOUNTANT, PREMIUMFUNDINGUSER, SYSTEM')" />
<security:csrf disabled="true"/>
<security:headers >
<security:frame-options policy="SAMEORIGIN" />
<security:hsts disabled="true"/>
<security:content-type-options disabled="true"/>
<security:xss-protection disabled="true"/>
<security:cache-control disabled="true"/>
</security:headers>
</security:http>
<!-- User Context bean defined as session scope using aop scoped proxy -->
<bean id="userContext" class="com.swift.core.security.view.UserContext"
scope="session">
<aop:scoped-proxy proxy-target-class="true" />
</bean>
<!-- List of request handler(s) beans -->
<bean id="verifyUserHandler"
class="com.swift.core.security.common.handlers.VerifyUserRequestHandler" />
<bean id="userAuthHandler"
class="com.swift.core.security.common.handlers.UserAuthenticationRequestHandler" />
<bean id="userAuthDummyHandler"
class="com.swift.core.security.common.handlers.UserAuthenticationRequestDummyHandler" />
<bean id="userParamHandler"
class="com.swift.core.security.common.handlers.UserParameterRequestHandler" />
<bean id="userWebSecurityExpressionHandler"
class="com.swift.core.security.common.handlers.UserWebSecurityExpressionHandler" />
<bean id="preAuthFilter" class="com.swift.core.security.filter.SwiftPreAuthFilter">
<property name="checkForPrincipalChanges">
<value>true</value>
</property>
<property name="handlers">
<!-- List of request handler(s) -->
<list>
<ref bean="verifyUserHandler" />
<ref bean="userAuthHandler" />
<!--
<ref bean="userAuthDummyHandler" />
-->
<ref bean="userParamHandler" />
<ref bean="userWebSecurityExpressionHandler" />
</list>
</property>
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="preauthAuthProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="preAuthUserDetailsService" />
</bean>
</property>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="preauthAuthProvider">
</security:authentication-provider>
</security:authentication-manager>型
在进一步调试java代码时观察到,在尝试访问此页面时,User Context具有BROKERPERSON和BROKERPERSON以及ROLE_BROKERPERSON和ROLE_BROKERSOWNER的角色和权限。因此,根据我的分析,后端代码在尝试访问页面时具有所需的用户角色和权限,仍然观察到403响应代码。此问题仅针对访问提到特定角色的URL模式进行观察。对于所有访问为全部的URL它工作正常。此外,相同的代码在旧版本中也能正常工作,即JDK 8,Apache Tomcat 8.5,Spring Framework 4.2.x和Spring Security 4.0.x。
作为一种变通方法,我将突出显示的配置从hasAnyRole更改为hasRole,如下所示:
<security:intercept-url pattern="/pages/client/**"
access="hasRole('BROKERPERSON')" />
<security:intercept-url pattern="/pages/client/**"
access="hasRole('BROKERPERSONVIEW')" />
<security:intercept-url pattern="/pages/client/**"
access="hasRole('PROCESSOWNER')" />型
在此更改后,网页按预期正常工作,并且没有观察到403响应代码。然而,问题仍然是相同的,为什么当使用hasAnyRole时会获得403响应代码。我试图在技术论坛上找到答案,但以前没有看到这种类型的问题报告。请让我知道是否有人以前遇到过类似的问题,并采取措施解决它?
1条答案
按热度按时间yx2lnoni1#
考虑使用
hasAnyRole('BROKERPERSON', 'BROKERPERSONVIEW', 'PROCESSOWNER')。确保每个角色用逗号分隔。有关详细信息,请参阅https://docs.spring.io/spring-security/reference/5.7/servlet/authorization/expression-based.html上的文档。