4
我有以下的用户XHTML页面:<秒:授权>不起作用
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:p="http://primefaces.org/ui"
xmlns:sec="http://www.springframework.org/security/tags">
<head>
<title>User</title>
</head>
<body>
<p>User</p>
<sec:authorize access="hasRole('ROLE_ADMIN')">
<p>Only admin can see this !</p>
</sec:authorize>
</body>
</html>
但是,当我访问该页面与谁没有作用ROLE_ADMIN用户,他仍然可以看到“只有管理员可以看到这个!”
编辑:
这里是我的春天的安全配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.2.xsd">
<http pattern="/resources" security="none" />
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login**" access="permitAll" />
<intercept-url pattern="/denied**" access="permitAll" />
<intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')" />
<form-login login-page="/login.xhtml"
authentication-failure-url="/denied.xhtml"
authentication-success-handler-ref="securityAuthenticationSuccessHandler" />
<access-denied-handler error-page="/denied.xhtml" />
<logout logout-success-url="/login.xhtml" delete-cookies="JSESSIONID"
invalidate-session="true" />
</http>
<authentication-manager>
<authentication-provider user-service-ref="securityProviderServiceImpl">
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
</beans:beans>
有什么错呢?
谢谢。
编辑2:
我对安全标记库一个警告 “的xmlns:秒=” HTTP://www.springframework。 org/security/tags“”
NLS missing message: CANNOT_FIND_FACELET_TAGLIB in: org.eclipse.jst.jsf.core.validation.internal.facelet.messages
重要吗?这是问题的原因吗?
我Maven的安全依赖关系:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${org.springframework.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${org.springframework.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${org.springframework.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${org.springframework.security.version}</version>
</dependency>
配置看起来没错。在不重新启动浏览器的情况下测试页面时,您是否更改了权限?用户权限是Spring Security中的会话范围。 – Bowen
@Conan对不起,我不明白“在不重新启动浏览器的情况下测试页面时更改权限”是什么意思,但我已经测试了多个用户(具有不同角色,管理员和非管理员)以及每个用户它显示“只有管理员可以看到这个!”...我认为它根本不会识别标签 ....但是为什么? –
Siho
@Conan(和大家),我错过了一个依赖? – Siho