java - Spring Security 分层角色不起作用
问题描述
我正在尝试角色层次结构,但它不起作用。我有一个已经运行的方法。我将角色名称从 ROLE_OP_JWNDIL 更改为 ROLE_OP_JWNDIL_TEST
@RequestMapping(value = "status", method = RequestMethod.POST)
@PreAuthorize("hasRole('ROLE_OP_JWNDIL_TEST')")
public Response<Boolean> enableNetwork(
@RequestHeader(HDR_AUTHORIZATION) String authToken,
@PathVariable("lineId") String lineId,
@PathVariable("nwtype") String nwtype ) final boolean realTime
)
然后在 spring-security.xml 我做了这个改变。
<bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<property name="hierarchy">
<value>
ROLE_OP_JWNDIL > ROLE_OP_JWNDIL_TEST
</value>
</property>
</bean>
<bean id="webSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<property name="roleHierarchy" ref="roleHierarchy"/>
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler" ref="webSecurityExpressionHandler" />
</bean>
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
但是我现在收到拒绝访问错误。
2021-08-11 14:45:03,695 [http-nio-8080-exec-8] DEBUG aopalliance.MethodSecurityInterceptor 348 [] - Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication@4abecc37: Principal: org.springframework.security.core.userdetails.User@d84: Username: lp; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ALERTS,ROLE_ALL,ROLE_ISP_ADMIN,ROLE_LED,ROLE_OPT_RW,ROLE_OP_JWNDIL,ROLE_OP_LB,ROLE_OP_REBOOT,ROLE_OP_SJEMPQ,ROLE_PROFILES_READER,ROLE_REPORTS,ROLE_SEARCH,ROLE_spuser; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=Bearer, tokenValue=<TOKEN>; Granted Authorities: ROLE_ALERTS, ROLE_ALL, ROLE_ISP_ADMIN, ROLE_LED, ROLE_OPT_RW, ROLE_OP_JWNDIL, ROLE_OP_LB, ROLE_OP_LB_QHSUER, ROLE_OP_SJEMPQ, ROLE_PROFILES_READER, ROLE_REPORTS, ROLE_SEARCH, ROLE_spuser
2021-08-11 14:45:03,695 [http-nio-8080-exec-8] DEBUG vote.AffirmativeBased 66 [] - Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@77f06abc, returned: -1
2021-08-11 14:45:03,695 [http-nio-8080-exec-8] DEBUG vote.AffirmativeBased 66 [] - Voter: org.springframework.security.access.vote.RoleVoter@b74bab6, returned: 0
2021-08-11 14:45:03,695 [http-nio-8080-exec-8] DEBUG vote.AffirmativeBased 66 [] - Voter: org.springframework.security.access.vote.AuthenticatedVoter@636a3a0f, returned: 0
2021-08-11 14:45:03,696 [http-nio-8080-exec-8] WARN controller.BaseController 182 [] - 401 UNAUTHORIZED - Access is denied
其他相关的 spring-security.xml 行。
<http pattern="/api/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint" access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security" use-expressions="true">
<anonymous enabled="false" />
<sec:csrf disabled="true" />
<intercept-url pattern="/api/v2/**" access="isFullyAuthenticated()" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<custom-filter ref="csrfFilter" before="SECURITY_CONTEXT_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
和
<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
<sec:expression-handler ref="oauthExpressionHandler" />
</sec:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
EDIT1:按要求填写完整日志。
2021-08-11 15:34:51,630 [http-nio-8080-exec-2] DEBUG matcher.AntPathRequestMatcher 177 [] - Checking match of request : '/api/v3/line/112233/networks/Main/status'; against '/oauth/cache_approvals'
2021-08-11 15:34:51,630 [http-nio-8080-exec-2] DEBUG matcher.AntPathRequestMatcher 177 [] - Checking match of request : '/api/v3/line/112233/networks/Main/status'; against '/oauth/uncache_approvals'
2021-08-11 15:34:51,630 [http-nio-8080-exec-2] DEBUG matcher.AntPathRequestMatcher 177 [] - Checking match of request : '/api/v3/line/112233/networks/Main/status'; against '/oauth/token'
2021-08-11 15:34:51,630 [http-nio-8080-exec-2] DEBUG matcher.AntPathRequestMatcher 177 [] - Checking match of request : '/api/v3/line/112233/networks/Main/status'; against '/web/**'
2021-08-11 15:34:51,630 [http-nio-8080-exec-2] DEBUG matcher.AntPathRequestMatcher 177 [] - Checking match of request : '/api/v3/line/112233/networks/Main/status'; against '/api/**'
2021-08-11 15:34:51,632 [http-nio-8080-exec-2] DEBUG web.FilterChainProxy 328 [] - /api/v3/line/112233/networks/Main/status at position 1 of 10 in additional filter chain; firing Filter: 'CSRFValidationFilter'
2021-08-11 15:34:51,632 [http-nio-8080-exec-2] DEBUG web.FilterChainProxy 328 [] - /api/v3/line/112233/networks/Main/status at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2021-08-11 15:34:51,633 [http-nio-8080-exec-2] DEBUG context.HttpSessionSecurityContextRepository 173 [] - No HttpSession currently exists
2021-08-11 15:34:51,633 [http-nio-8080-exec-2] DEBUG context.HttpSessionSecurityContextRepository 117 [] - No SecurityContext was available from the HttpSession: null. A new one will be created.
2021-08-11 15:34:51,642 [http-nio-8080-exec-2] DEBUG web.FilterChainProxy 328 [] - /api/v3/line/112233/networks/Main/status at position 3 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2021-08-11 15:34:51,658 [http-nio-8080-exec-2] DEBUG web.FilterChainProxy 328 [] - /api/v3/line/112233/networks/Main/status at position 4 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2021-08-11 15:34:51,662 [http-nio-8080-exec-2] DEBUG web.FilterChainProxy 328 [] - /api/v3/line/112233/networks/Main/status at position 5 of 10 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2021-08-11 15:34:52,156 [http-nio-8080-exec-2] DEBUG authentication.OAuth2AuthenticationProcessingFilter 159 [] - Authentication success: org.springframework.security.oauth2.provider.OAuth2Authentication@4abecc37: Principal: org.springframework.security.core.userdetails.User@d84: Username: mp; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ALERTS,ROLE_ALL,ROLE_ISP_ADMIN,ROLE_LED,ROLE_OPT_RW,ROLE_OP_AGENTCONFIGURATION,ROLE_OP_CONFIGURATION_BACKUP,ROLE_OP_CONFIGURATION_RESTORE,ROLE_OP_DATACOLLECTION,ROLE_OP_JWNDIL,ROLE_OP_LB,ROLE_OP_LB_QHSUER,ROLE_OP_REBOOT,ROLE_OP_SJEMPQ,ROLE_PROFILES_READER,ROLE_REPORTS,ROLE_SEARCH,ROLE_WATCHDOG_APIS,ROLE_spuser; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=Bearer, tokenValue=<TOKEN>; Granted Authorities: ROLE_ALERTS, ROLE_ALL, ROLE_ISP_ADMIN, ROLE_LED, ROLE_OPT_RW, ROLE_OP_AGENTCONFIGURATION, ROLE_OP_CONFIGURATION_BACKUP, ROLE_OP_CONFIGURATION_RESTORE, ROLE_OP_DATACOLLECTION, ROLE_OP_JWNDIL, ROLE_OP_LB, ROLE_OP_LB_QHSUER, ROLE_OP_REBOOT, ROLE_OP_SJEMPQ, ROLE_PROFILES_READER, ROLE_REPORTS, ROLE_SEARCH, ROLE_WATCHDOG_APIS, ROLE_spuser
2021-08-11 15:34:52,157 [http-nio-8080-exec-2] DEBUG web.FilterChainProxy 328 [] - /api/v3/line/112233/networks/Main/status at position 6 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2021-08-11 15:34:52,157 [http-nio-8080-exec-2] DEBUG savedrequest.HttpSessionRequestCache 95 [] - saved request doesn't match
2021-08-11 15:34:52,157 [http-nio-8080-exec-2] DEBUG web.FilterChainProxy 328 [] - /api/v3/line/112233/networks/Main/status at position 7 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2021-08-11 15:34:52,161 [http-nio-8080-exec-2] DEBUG web.FilterChainProxy 328 [] - /api/v3/line/112233/networks/Main/status at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
2021-08-11 15:34:52,161 [http-nio-8080-exec-2] DEBUG session.CompositeSessionAuthenticationStrategy 87 [] - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@65580a10
2021-08-11 15:34:52,163 [http-nio-8080-exec-2] DEBUG context.HttpSessionSecurityContextRepository 404 [] - The HttpSession is currently null, and the HttpSessionSecurityContextRepository is prohibited from creating an HttpSession (because the allowSessionCreation property is false) - SecurityContext thus not stored for next request
2021-08-11 15:34:52,163 [http-nio-8080-exec-2] DEBUG web.FilterChainProxy 328 [] - /api/v3/line/112233/networks/Main/status at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2021-08-11 15:34:52,163 [http-nio-8080-exec-2] DEBUG web.FilterChainProxy 328 [] - /api/v3/line/112233/networks/Main/status at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2021-08-11 15:34:52,163 [http-nio-8080-exec-2] DEBUG matcher.AntPathRequestMatcher 177 [] - Checking match of request : '/api/v3/line/112233/networks/Main/status'; against '/api/v2/**'
2021-08-11 15:34:52,163 [http-nio-8080-exec-2] DEBUG intercept.FilterSecurityInterceptor 210 [] - Public object - authentication not attempted
2021-08-11 15:34:52,163 [http-nio-8080-exec-2] DEBUG web.FilterChainProxy 313 [] - /api/v3/line/112233/networks/Main/status reached end of additional filter chain; proceeding with original chain
2021-08-11 15:34:52,178 [http-nio-8080-exec-2] DEBUG servlet.DispatcherServlet 91 [] - POST "/api/v3/line/112233/networks/Main/status", parameters={}
2021-08-11 15:34:52,197 [http-nio-8080-exec-2] DEBUG annotation.RequestMappingHandlerMapping 414 [] - Mapped to com.asi.hch.shared.networkoperations.V3NetworkOperationsController#enableNetwork(String, String, String, boolean)
2021-08-11 15:34:52,270 [http-nio-8080-exec-2] DEBUG aopalliance.MethodSecurityInterceptor 219 [] - Secure object: ReflectiveMethodInvocation: public com.asi.hch.shared.controller.Response com.asi.hch.shared.networkoperations.V3NetworkOperationsController.enableNetwork(java.lang.String,java.lang.String,java.lang.String,boolean); target is of class [com.asi.hch.shared.networkoperations.V3NetworkOperationsController]; Attributes: [[authorize: '#oauth2.throwOnError(hasRole('ROLE_OP_JWNDIL_KENAN'))', filter: 'null', filterTarget: 'null']]
2021-08-11 15:34:52,270 [http-nio-8080-exec-2] DEBUG aopalliance.MethodSecurityInterceptor 348 [] - Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication@4abecc37: Principal: org.springframework.security.core.userdetails.User@d84: Username: lp; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ALERTS,ROLE_ALL,ROLE_ISP_ADMIN,ROLE_LED,ROLE_OPT_RW,ROLE_OP_AGENTCONFIGURATION,ROLE_OP_CONFIGURATION_BACKUP,ROLE_OP_CONFIGURATION_RESTORE,ROLE_OP_DATACOLLECTION,ROLE_OP_JWNDIL,ROLE_OP_LB,ROLE_OP_LB_QHSUER,ROLE_OP_REBOOT,ROLE_OP_SJEMPQ,ROLE_PROFILES_READER,ROLE_REPORTS,ROLE_SEARCH,ROLE_WATCHDOG_APIS,ROLE_spuser; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=Bearer, tokenValue=<TOKEN>; Granted Authorities: ROLE_ALERTS, ROLE_ALL, ROLE_ISP_ADMIN, ROLE_LED, ROLE_OPT_RW, ROLE_OP_AGENTCONFIGURATION, ROLE_OP_CONFIGURATION_BACKUP, ROLE_OP_CONFIGURATION_RESTORE, ROLE_OP_DATACOLLECTION, ROLE_OP_JWNDIL, ROLE_OP_LB, ROLE_OP_LB_QHSUER, ROLE_OP_REBOOT, ROLE_OP_SJEMPQ, ROLE_PROFILES_READER, ROLE_REPORTS, ROLE_SEARCH, ROLE_WATCHDOG_APIS, ROLE_spuser
2021-08-11 15:34:52,308 [http-nio-8080-exec-2] DEBUG vote.AffirmativeBased 66 [] - Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@66006193, returned: -1
2021-08-11 15:34:52,308 [http-nio-8080-exec-2] DEBUG vote.AffirmativeBased 66 [] - Voter: org.springframework.security.access.vote.RoleVoter@34314d05, returned: 0
2021-08-11 15:34:52,308 [http-nio-8080-exec-2] DEBUG vote.AffirmativeBased 66 [] - Voter: org.springframework.security.access.vote.AuthenticatedVoter@141bdcc5, returned: 0
2021-08-11 15:34:52,312 [http-nio-8080-exec-2] DEBUG support.ReloadableResourceBundleMessageSource 455 [] - No properties file found for [classpath:messages] - neither plain properties nor XML
2021-08-11 15:34:52,315 [http-nio-8080-exec-2] DEBUG support.ReloadableResourceBundleMessageSource 455 [] - No properties file found for [classpath:messages_en_US] - neither plain properties nor XML
2021-08-11 15:34:52,320 [http-nio-8080-exec-2] DEBUG support.ReloadableResourceBundleMessageSource 493 [] - Loading properties [messages_en.properties] with encoding 'UTF-8'
2021-08-11 15:34:52,329 [http-nio-8080-exec-2] DEBUG annotation.ExceptionHandlerExceptionResolver 398 [] - Using @ExceptionHandler com.asi.hch.shared.networkoperations.V3NetworkOperationsController#handleRoleException(AccessDeniedException)
2021-08-11 15:34:52,329 [http-nio-8080-exec-2] WARN controller.BaseController 182 [] - 401 UNAUTHORIZED - Access is denied
2021-08-11 15:34:52,397 [http-nio-8080-exec-2] DEBUG annotation.RequestResponseBodyMethodProcessor 265 [] - Using 'application/json', given [*/*] and supported [application/json, application/*+json]
2021-08-11 15:34:52,399 [http-nio-8080-exec-2] DEBUG annotation.RequestResponseBodyMethodProcessor 91 [] - Writing [Response(code=1603, message=User does not have the permission to invoke this API, data=null, errorDe (truncated)...]
2021-08-11 15:34:52,422 [http-nio-8080-exec-2] DEBUG annotation.ExceptionHandlerExceptionResolver 145 [] - Resolved [org.springframework.security.access.AccessDeniedException: Access is denied]
2021-08-11 15:34:52,422 [http-nio-8080-exec-2] DEBUG servlet.DispatcherServlet 1131 [] - Completed 401 UNAUTHORIZED
2021-08-11 15:34:52,506 [http-nio-8080-exec-2] DEBUG logging.LoggingFilter 129 [] - CCSvc> 2> POST http://localhost:8080/hch-sp/api/v3/line/112233/networks/Main/status {request-ip=0:0:0:0:0:0:0:1, content-length=0, postman-token=98dcf68a-3178-49c5-a582-fe6749d79557, accept-encoding=gzip, deflate, br, user-agent=PostmanRuntime/7.26.8}
2021-08-11 15:34:52,506 [http-nio-8080-exec-2] DEBUG logging.LoggingFilter 131 [] - CCSvc< 2< 401^2< 251^2< {"code":1603,"message":"User does not have the permission to invoke this API","data":null,"errorDetails":null}
2021-08-11 15:34:52,510 [http-nio-8080-exec-2] DEBUG disk.Segment 425 [] - put added 0 on heap
2021-08-11 15:34:52,510 [http-nio-8080-exec-2] DEBUG access.ExceptionTranslationFilter 120 [] - Chain processed normally
2021-08-11 15:34:52,510 [http-nio-8080-exec-2] DEBUG writers.HstsHeaderWriter 169 [] - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@710af346
2021-08-11 15:34:52,510 [http-nio-8080-exec-2] DEBUG context.HttpSessionSecurityContextRepository 404 [] - The HttpSession is currently null, and the HttpSessionSecurityContextRepository is prohibited from creating an HttpSession (because the allowSessionCreation property is false) - SecurityContext thus not stored for next request
2021-08-11 15:34:52,511 [http-nio-8080-exec-2] DEBUG context.SecurityContextPersistenceFilter 119 [] - SecurityContextHolder now cleared, as request processing completed
2021-08-11 15:34:52,512 [audit%0054rail.data] DEBUG disk.Segment 779 [] - fault removed 0 from heap
2021-08-11 15:34:52,512 [audit%0054rail.data] DEBUG disk.Segment 796 [] - fault added 0 on disk
解决方案
推荐阅读
- c# - Xamarin.forms - 无需导航即可重定向到另一个页面
- python - 为什么我的重新向量化的 sys.stdout.write() 方法在我取消链接后会被调用?
- c - GNU SASL GSSAPI 示例
- oauth-2.0 - 如果此 Web 应用程序使用 Auth0 OAuth2.0 隐式授权,是否可以自动更新邮递员的令牌?
- apache-camel - 如何更改骆驼幂等表名?
- angular - /admin 路由的 Angular 路由器出口
- docker - 在 Windows 中托管的 ubuntu 容器中列出包含 200K 文件的共享卷中的目录内容会卡住
- serialization - 为什么在反序列化 Elixir 映射时 `erl_decode` 返回 NULL?
- reactjs - 是否可以映射多个项目?
- wordpress - WP REST API 上自定义帖子/关系的 ACF、类别和特色图片