我有一个 Spring 应用程序(Spring 版本 2.5.6.SEC01,Spring Security 版本 2.0.5)具有以下设置(这是基于 this question ) :
在security-config.xml 文件中,我有以下配置:
<http>
<!-- Restrict URLs based on role -->
<intercept-url pattern="/WEB-INF/jsp/login.jsp*" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/WEB-INF/jsp/header.jsp*" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/WEB-INF/jsp/footer.jsp*" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/login*" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/index.jsp" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/logoutSuccess*" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/images/**" filters="none" />
<intercept-url pattern="/**" access="ROLE_ANONYMOUS" />
<anonymous />
<form-login login-page="/login.jsp"/>
</http>
<beans:bean id="myUserDetailsService" class="com.example.login.MyUserDetailsService">
<beans:property name="dataSource" ref="dataSource" />
<custom-authentication-provider />
</beans:bean>
<authentication-provider user-service-ref="myUserDetailsService" />
定义了 com.example.login.MyUserDetailsService 类:
public class MyUserDetailsService extends SimpleJdbcDaoSupport implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException,
DataAccessException {
logger.info("MyUserDetailsService.loadUserByUsername: Entered method. Username [" + userName + "]");
...
}
}
但我没有看到此日志行。如何定义自定义 UserDetailsService 以便设置安全角色?我什至不需要自定义服务,但在 security-config.xml 中有这个
<authentication-provider> <jdbc-user-service data-source-ref="dataSource" />
</authentication-provider>
即使我有用户和权限表,也没有设置角色。如何设置 Spring 安全角色?
最佳答案
只需删除 <custom-authentication-provider>元素。
你的 MyUserDetailsService不是习俗 AuthenticationProvider .实际上,您正在尝试提供默认值 DaoAuthenticationProvider自定义 UserDetailsService .
这是该场景的工作配置示例(我再次建议您使用 auto-config ):
<http auto-config = "true">
<intercept-url pattern="/login.jsp" access="ROLE_ANONYMOUS" />
...
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login.jsp" default-target-url="/XXX.html" />
</http>
<authentication-provider user-service-ref = "userDetailsService" />
<beans:bean id = "userDetailsService" class = "com.example.MyUserService" />
编辑:
web.xml:
...
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
...
登录.jsp:
...
<form method = "POST" action = "<c:url value = "/j_spring_security_check" />">
<table>
<tr>
<td class = "label">Login:</td>
<td><input type = "text" name = "j_username" /></td>
</tr>
<tr>
<td class = "label">Password:</td>
<td><input type = "password" name = "j_password" /></td>
</tr>
<tr>
<td colspan = "2"><input type = "submit" value = "Log in" /></td>
</tr>
</table>
</form>
...
关于java - Spring Security - 未调用自定义身份验证提供程序,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/2031355/