Spring Security 3 specify multiple intercept-url access roles

前端 未结 5 1245
执念已碎
执念已碎 2021-02-05 09:33

I am trying to setup Spring 3 security using JDBC auth. Everything is working fine apart from when I try to specify multiple access roles to an intercept-url. Eg I want anyone w

相关标签:
5条回答
  • 2021-02-05 09:44

    I had the same issue but used expressions to get around this issue:

    You should embed

    use-expressions="true"
    

    in your existing config. So:

    <security:http auto-config="true" access-denied-page="/denied.jsp" >
    

    becomes

    <security:http auto-config="true" access-denied-page="/denied.jsp" use-expressions="true">
    

    And then:

    <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
    
    0 讨论(0)
  • 2021-02-05 09:49

    I am not sure about this problem, actually I am using it currently in my project and don't see an issue. try removing the space after the "," I mean try using ROLE_USER,ROLE_ADMIN

    0 讨论(0)
  • 2021-02-05 09:49

    I decided to downgrade to Spring Security 2.0.5 without changing anything else to check whether this was a bug in 3, and lo-and-behold it was!

    I think I also found a related open bug here - https://jira.springsource.org/browse/SEC-1342

    Solution - use 2.0.5 if want to use this feature.

    0 讨论(0)
  • 2021-02-05 09:50

    I had the same problem when was trying to migrate from Spring 3.x to 4.x. Finally I found that parameter "use-expressions" of "http" tag became "true" by default in Spring 4.x instead of false (as it was in old versions).

    P.S. This question is very old for now, but I found this in Google. So somebody else can find it too and this info might be useful then.

    0 讨论(0)
  • 2021-02-05 10:02

    I had the same problem and found the answer here.
    Use that line to grant access to user with both roles:
    <security:intercept-url pattern="/**" access="hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')" />
    If you want to grant access to user with one of the listed roles, use:
    <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" />

    Also, you need to add ability to use SpEL in your security *.xml, add use-expressions="true" to <http> tag.

    0 讨论(0)
提交回复
热议问题