gpt4 book ai didi

java - 无法基于安全性隐藏链接

转载 作者:塔克拉玛干 更新时间:2023-11-02 19:07:15 26 4
gpt4 key购买 nike

我试图仅在允许用户角色时显示链接。但是链接并没有隐藏,任何角色的所有内容都会显示出来。

在这里看到这么多类似的查询,但没有一个解决方案有效。请告诉我我缺少什么。

配置。

@Configuration
@EnableWebSecurity
public class SecConfig extends WebSecurityConfigurerAdapter{

private final String USER = "USER";
private final String ADMIN = "ADMIN";

@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/").hasAnyRole(USER, ADMIN)
.antMatchers("/closed").hasRole(ADMIN).and()
.formLogin().defaultSuccessUrl("/");
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("jane").password(passwordEncoder().encode("qwe")).roles(ADMIN, USER).and()
.withUser("john").password(passwordEncoder().encode("qwe")).roles(USER);
}

@Bean
public BCryptPasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
}

POM

<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
</dependency>

<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>

HTML

<a th:href="@{/closed}">Go to closed</a>

<br/><br/>

<form th:action="@{/logout}" method="post">
<input type="submit" value="Log out">
</form>

<br/>

<h2>Welcome</h2>
<p>Spring Security Thymeleaf</p>
<div sec:authorize="hasRole('USER')">Text visible to user.</div>
<div sec:authorize="hasRole('ADMIN')">Text visible to admin.</div>
<div sec:authorize="isAuthenticated()">
Text visible only to authenticated users.
</div>
Authenticated username:
<div sec:authentication="name"></div>
Authenticated user roles:
<div sec:authentication="principal.authorities"></div>

上面的所有内容都会为 Jane 显示,即使她没有管理员访问权限。此外,甚至她的角色和用户名也不显示。

我也试过如下配置方言,这没有什么区别。

@Configuration
public class LeafConfig {

@Bean
public SpringSecurityDialect springSecurityDialect(){
return new SpringSecurityDialect();
}
}

以下是为 Jane 或 John 显示的内容。没有区别:

Welcome
Spring Security Thymeleaf

Text visible to user.
Text visible to admin.
Text visible only to authenticated users.
Authenticated username:
Authenticated user roles:

最佳答案

由于您使用的是 Spring Security 附加功能,因此您可以尝试使用 ${#authorization.expression('hasRole(''ROLE_ADMIN'')'} 而不是 sec:authorization. 例如.

<div th:if="${#authorization.expression('hasRole(''USER'')'}">Text visible to user.</div>
<div th:if="${#authorization.expression('hasRole(''ADMIN'')'}">Text visible to admin.</div>
<div th:if="${#authorization.expression('isAuthenticated()')}">
Text visible only to authenticated users.
</div>

如果您使用权限而不是角色,则以下代码可以解决问题。

<div th:if="${#authorization.expression('hasAuthority(''ADMIN'')')}">ADMIN</div>
<div th:if="${#authorization.expression('hasAuthority(''USER'')')}">USER</div>
<div th:if="${#authorization.expression('isAuthenticated()')}">
Text visible only to authenticated users.
</div>
</div>

关于您的配置,在您的 .pom 中将您的 org.thymeleaf.extras 更改为 thymeleaf-extras-springsecurity5 并且您需要将 Spring Dialect @Bean 添加到您的配置中。

POM

<dependencies>
...
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
...
</dependencies>

叶子配置

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;

@Configuration
public class LeafConfig {

@Bean
public SpringSecurityDialect springSecurityDialect(){
return new SpringSecurityDialect();
}

}

在这些更改之后,一切都应该按预期工作。

关于java - 无法基于安全性隐藏链接,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/53154549/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com