Spring Boot Security 基于角色的访问控制

Posted 2020-09-23 csonezp

@Override
    protected void configure(HttpSecurity http) throws Exception {
        //如果配置为需要登录
        if (needLogin) {
            http
                    .authorizeRequests()
                    .antMatchers("/keepalived", "/revision","/static/**").permitAll()
                    .antMatchers("/manager/**").hasRole("ADMIN")
                    .anyRequest().authenticated()
                    .and()
                    .formLogin()
                    .loginPage("/login")
                    .defaultSuccessUrl("/index",true)
                    .permitAll()
                    .and()
                    .logout().permitAll();
　　　　　　}
｝

配置如上所示。但是需要注意，检查的是ADMIN角色，库里存的字段要是ROLE_ADMIN,而不是ADMIN。

 

The HttpServletRequest.isUserInRole(String) will determine if SecurityContextHolder.getContext().getAuthentication().getAuthorities() contains a GrantedAuthority with the role passed into isUserInRole(String). Typically users should not pass in the "ROLE_" prefix into this method since it is added automatically. For example, if you want to determine if the current user has the authority "ROLE_ADMIN", you could use the following:

boolean isAdmin = httpServletRequest.isUserInRole("ADMIN");

This might be useful to determine if certain UI components should be displayed. For example, you might display admin links only if the current user is an admin.