如何在Spring Security中使用自定义角色/权限？

Question

在将旧应用程序迁移到spring安全性时,我遇到以下异常:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainProxy': Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterChainList': Cannot resolve reference to bean '_filterSecurityInterceptor' while setting bean property 'filters' with key [3]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '_filterSecurityInterceptor': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [superadmin]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:480)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
at java.security.AccessController.doPrivileged(Native Method)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)

在旧的应用程序中,有"superadmin","editor","helpdesk"等角色.但是在所有Spring Security示例中,我只看到像"ROLE_"("ROLE_ADMIN"等)这样的角色.当我将"superadmin"重命名为"ROLE_ADMIN"并且仅在配置中使用此角色时,一切正常.

不起作用:

 <http auto-config="true">                                      
    <intercept-url pattern="/restricted/**" access="superadmin"/>
    <form-login
        authentication-failure-url="/secure/loginAdmin.do?error=true"
        login-page="/secure/loginAdmin.do" />        
</http> 

作品:

<http auto-config="true">                                      
    <intercept-url pattern="/restricted/**" access="ROLE_ADMIN"/>
    <form-login
        authentication-failure-url="/secure/loginAdmin.do?error=true"
        login-page="/secure/loginAdmin.do" />        
</http> 

可以使用自定义角色名称吗？

Answer 1

您正在使用默认配置,该配置期望角色以"ROLE_"前缀开头.您必须添加自定义安全配置并设置rolePrefix为"";

http://forum.springsource.org/archive/index.php/t-53485.html

Answer 2

这是一个使用访问表达式的完整配置(@rodrigoap提供的链接似乎有点过时):

<http
        access-decision-manager-ref="accessDecisionManager"
        use-expressions="true">

<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <beans:property name="decisionVoters">
        <beans:list>
            <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
            <beans:bean class="org.springframework.security.access.vote.RoleVoter">
                <beans:property name="rolePrefix" value=""/>
            </beans:bean>
            <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
        </beans:list>
    </beans:property>
</beans:bean>

Answer 3

您也可以始终使用表达式(通过配置use-expressions="true")来忽略ROLE_前缀.

在阅读Spring Security 3.1源代码后,我发现use-expressions="true":

对于<security:http >:
HttpConfigurationBuilder#createFilterSecurityInterceptor()将记数WebExpressionVoter,但不会RoleVoter,AuthenticatedVoter;

对于<security:global-method-security >: GlobalMethodSecurityBeanDefinitionParser#registerAccessManager()将注册PreInvocationAuthorizationAdviceVoter(有条件),然后始终注册RoleVoter,有条件地AuthenticatedVoter注册Jsr250Voter;

PreInvocationAuthorizationAdviceVoter将PreInvocationAttribute根据生成的进程(PreInvocationExpressionAttribute将用作实现)@PreAuthorize.PreInvocationExpressionAttribute#getAttribute()总是返回null,所以RoleVoter,AuthenticatedVoter不要投票.