在 Spring 安全中:
<sec:http pattern="/api/**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/api/**" access="ROLE_ADMIN" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>
在这一行<intercept-url pattern="/api/**" access="ROLE_ADMIN" />
如果我写:有什么不同的含义:
<intercept-url pattern="/api/**" access="hasRole('ROLE_ADMIN')" />
或者:
<intercept-url pattern="/api/**" access="hasAnyRole('ROLE_ADMIN')" />
最佳答案
如Spring Security documentation状态:
hasRole([role]): Returns true if the current principal has the specified
rolehasAnyRole([role1,role2]): Returns true if the current principal has any of the supplied roles (given as a comma-separated list of strings).
此外,在 access 属性上,documentation状态:
access: Lists the access attributes which will be stored in the
FilterInvocationSecurityMetadataSourcefor the defined URL pattern/method combination. This should be a comma-separated list of the security configuration attributes (such as role names).
但就您而言,您将单个元素列表传递给 hasAnyRole,因此:
access="ROLE_ADMIN" Vs access="hasAnyRole('ROLE_ADMIN')
hasRole('ROLE_ADMIN') 和 hasAnyRole('ROLE_ADMIN') 相同,都意味着当前主体应具有 ROLE_ADMIN权威。
(“主体”通常是指可以在您的应用程序中执行操作的用户、设备或其他系统)。
关于java - Spring Security,访问 ="ROLE_ADMIN"与访问 ="hasAnyRole(' ROLE_ADMIN'),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/37511928/