spring-boot - Spring Boot Security hasRole 不起作用

Question

我无法在 @PreAuthorize 注释中使用 hasRole 方法。另外 request.isUserInRole(“ADMIN”) 给出 false。我缺少什么？虽然 .hasAuthority(“ADMIN”) 工作正常。

我正在从数据库中为用户分配权限。

Answer 1

您必须使用前缀 ROLE_ 命名您的权限才能使用 isUserInRole，请参阅 Spring Security Reference :

The HttpServletRequest.isUserInRole(String) will determine if SecurityContextHolder.getContext().getAuthentication().getAuthorities() contains a GrantedAuthority with the role passed into isUserInRole(String). Typically users should not pass in the "ROLE_" prefix into this method since it is added automatically. For example, if you want to determine if the current user has the authority "ROLE_ADMIN", you could use the following:

boolean isAdmin = httpServletRequest.isUserInRole("ADMIN");

与 hasRole 相同(还有 hasAnyRole)，请参阅 Spring Security Reference :

Returns true if the current principal has the specified role. By default if the supplied role does not start with 'ROLE_' it will be added. This can be customized by modifying the defaultRolePrefix on DefaultWebSecurityExpressionHandler.

另请参阅Spring Security Reference :

46.3.3 What does "ROLE_" mean and why do I need it on my role names?

Spring Security has a voter-based architecture which means that an access decision is made by a series of AccessDecisionVoters. The voters act on the "configuration attributes" which are specified for a secured resource (such as a method invocation). With this approach, not all attributes may be relevant to all voters and a voter needs to know when it should ignore an attribute (abstain) and when it should vote to grant or deny access based on the attribute value. The most common voter is the RoleVoter which by default votes whenever it finds an attribute with the "ROLE_" prefix. It makes a simple comparison of the attribute (such as "ROLE_USER") with the names of the authorities which the current user has been assigned. If it finds a match (they have an authority called "ROLE_USER"), it votes to grant access, otherwise it votes to deny access.