我正在尝试删除Spring Security中的"ROLE_"前缀.我尝试的第一件事是:
http.servletApi().rolePrefix("");
这没用,所以我尝试BeanPostProcessor按http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-中的建议创建一个jc.html#m3to4-role-prefixing-disable.那也行不通.
最后,我尝试创建自己的SecurityExpressionHandler:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.expressionHandler(webExpressionHandler())
.antMatchers("/restricted").fullyAuthenticated()
.antMatchers("/foo").hasRole("mycustomrolename")
.antMatchers("/**").permitAll();
}
private SecurityExpressionHandler<FilterInvocation> webExpressionHandler() {
DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
defaultWebSecurityExpressionHandler.setDefaultRolePrefix("");
return defaultWebSecurityExpressionHandler;
}
但是,这也不起作用.如果我使用"hasAuthority(roleName)"而不是hasRole,它按预期工作.
是否可以从Spring Security的hasRole检查中删除ROLE_前缀?