Spring Boot Security 基于角色的访问控制
Posted csonezp
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Spring Boot Security 基于角色的访问控制相关的知识,希望对你有一定的参考价值。
@Override protected void configure(HttpSecurity http) throws Exception { //如果配置为需要登录 if (needLogin) { http .authorizeRequests() .antMatchers("/keepalived", "/revision","/static/**").permitAll() .antMatchers("/manager/**").hasRole("ADMIN") .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .defaultSuccessUrl("/index",true) .permitAll() .and() .logout().permitAll();
} }
配置如上所示。但是需要注意,检查的是ADMIN角色,库里存的字段要是ROLE_ADMIN,而不是ADMIN。
The HttpServletRequest.isUserInRole(String) will determine if
SecurityContextHolder.getContext().getAuthentication().getAuthorities()
contains aGrantedAuthority
with the role passed intoisUserInRole(String)
. Typically users should not pass in the "ROLE_" prefix into this method since it is added automatically. For example, if you want to determine if the current user has the authority "ROLE_ADMIN", you could use the following:boolean isAdmin = httpServletRequest.isUserInRole("ADMIN");
This might be useful to determine if certain UI components should be displayed. For example, you might display admin links only if the current user is an admin.
以上是关于Spring Boot Security 基于角色的访问控制的主要内容,如果未能解决你的问题,请参考以下文章
基于 Spring Boot / Spring Security 角色的授权无法正常工作 [重复]
218.Spring Boot+Spring Security:基于内存数据库的身份认证和角色授权