秒：授权不能与自定义角色的工作

Question

我有这样一些自定义的角色：

<span sec:authentication="principal.authorities">[MENU_USER, BUTTON_ADD_USER,ROLE_USER, MENU_PRIVILEGE, BUTTON_EDIT_USER]</span> 
 
    <div sec:authorize="hasRole('MENU_USER')"> 
 
     <span>This content is only shown to administrators.</span> 
 
    </div>

时使用“ROLE_USER”，在“跨越”的文本可以正常显示，但是当使用其他角色，文本无法显示。然后我为自定义角色添加'ROLE_'前缀，这又变得正常了。

我尝试删除“ROLE_”前缀限制这样的：

@Bean 
AccessDecisionManager accessDecisionManager() { 
    RoleVoter voter = new RoleVoter(); 
    voter.setRolePrefix(""); 
    List<AccessDecisionVoter<? extends Object>> voters= new ArrayList<>(); 

    voters.add(new WebExpressionVoter()); 
    voters.add(voter); 
    voters.add(new AuthenticatedVoter()); 
    AffirmativeBased decisionManger = new AffirmativeBased(voters); 
    return decisionManger; 
} 

@Override 
protected void configure(HttpSecurity http) throws Exception { 
    http 
     .authorizeRequests() 
      .accessDecisionManager(accessDecisionManager()) 
      .antMatchers("/webjars/**", "/login").permitAll() 
      .anyRequest().authenticated() 
      .and() 
     .formLogin() 
      .loginPage("/login") 
      .permitAll() 
      .loginProcessingUrl("/j_spring_security_check") 
      .usernameParameter("j_username") 
      .passwordParameter("j_password") 
      .defaultSuccessUrl("/home", true) 
      .failureUrl("/test") 
      .and() 

     //logout is  
     .logout() 
      .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) 
      .logoutSuccessUrl("/login?logout") 
     .permitAll(); 
} 

它不工作过。任何想法如何删除强制性的“ROLE_”前缀？

Answer 1

我的弹簧安全性升级到4.0.3导致的问题。根据该文件Spring security doc，

默认情况下，如果所提供的角色不具有“ROLE_”开头这将是 增加。这可以通过修改 DefaultWebSecurityExpressionHandler上的defaultRolePrefix来定制。

我已将下面的代码添加到我的SecurityConfig.java中，并且问题已修复。

@Bean 
DefaultWebSecurityExpressionHandler webSecurityExpressionHandler() { 
    DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler(); 
    handler.setDefaultRolePrefix(""); 
    return handler; 
} 

后来，我发现从spring security migrating

一个官方补丁可以禁用自动ROLE_使用了BeanPostProcessor 类似于以下前缀：

package sample.role_; 

import org.springframework.beans.BeansException; 
import org.springframework.beans.factory.config.BeanPostProcessor; 
import org.springframework.core.PriorityOrdered; 
import org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource; 
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; 
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler; 
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter; 

public class DefaultRolesPrefixPostProcessor implements BeanPostProcessor, PriorityOrdered { 

@Override 
public Object postProcessAfterInitialization(Object bean, String beanName) 
     throws BeansException { 

    // remove this if you are not using JSR-250 
    if(bean instanceof Jsr250MethodSecurityMetadataSource) { 
     ((Jsr250MethodSecurityMetadataSource) bean).setDefaultRolePrefix(null); 
    } 

    if(bean instanceof DefaultMethodSecurityExpressionHandler) { 
     ((DefaultMethodSecurityExpressionHandler) bean).setDefaultRolePrefix(null); 
    } 
    if(bean instanceof DefaultWebSecurityExpressionHandler) { 
     ((DefaultWebSecurityExpressionHandler) bean).setDefaultRolePrefix(null); 
    } 
    if(bean instanceof SecurityContextHolderAwareRequestFilter) { 
     ((SecurityContextHolderAwareRequestFilter)bean).setRolePrefix(""); 
    } 
    return bean; 
} 

@Override 
public Object postProcessBeforeInitialization(Object bean, String beanName) 
     throws BeansException { 
    return bean; 
} 

@Override 
public int getOrder() { 
    return PriorityOrdered.HIGHEST_PRECEDENCE; 
} 
} 

和然后将其定义为Bean：

@Bean 
public static DefaultRolesPrefixPostProcessor defaultRolesPrefixPostProcessor() { 
    return new DefaultRolesPrefixPostProcessor(); 
}