为什么在点击登录时得到 403 Forbidden
Why get 403 Forbidden while click on login
我正在处理 Spring MVC 项目。我使用 Spring 安全来保护我项目的 url。当我单击登录按钮时登录成功,但在 localhost:8092/user/index
url 上出现错误 type=Forbidden, status=403
。我认为 Spring 安全中断 url.
下面是Spring Security
的代码:
CustomUserDetail
public class CustomUserDetail implements UserDetails {
private User user;
public CustomUserDetail(User user) {
super();
this.user = user;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
SimpleGrantedAuthority authority = new SimpleGrantedAuthority(user.getRole());
return List.of(authority);
}
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public String getUsername() {
return user.getEmail();
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
UserDetailsServiceImpl
public class UserDetailsServiceImpl implements UserDetailsService{
@Autowired
private UserRepo userRepo;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepo.getUserByUserName(username);
if(user == null)
{
throw new UsernameNotFoundException(username);
}
CustomUserDetail customUserDetail = new CustomUserDetail(user);
return customUserDetail;
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/user/**").hasRole("USER")
.antMatchers("/**").permitAll()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.defaultSuccessUrl("/user/index");
}
下面是Controller
@Controller
@RequestMapping("/user")
public class UserController {
@Autowired
private UserRepo userRepo;
@RequestMapping(value = "/index")
public String login(Model mdl, Principal principal)
{
User user = userRepo.getUserByUserName(principal.getName());
mdl.addAttribute("user", user);
return "user/user-dashboard";
}
}
下面是我的 user-dashboard.html
而它位于 src/main/resources/templates/user
.
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<h1> Details of User</h1>
<p th:text="${user.name}"></p>
<p th:text="${user.email}"></p>
</body>
</html>
我点击登录按钮时 url 是 http://localhost:8092/user/index
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Sat Mar 19 18:16:13 IST 2022
There was an unexpected error (type=Forbidden, status=403).
Forbidden
数据库快照:
我认为你应该检查两件事。
- 用户在数据库中的角色数据是什么?
- 我认为它应该像数据库中的 ROLE_ADMIN 一样有一个前缀“ROLE_”。
- 检查应该加密保存在数据库中的密码
- Spring security 的 DaoAuthenticationProvider 使用
PasswordEncoderFactories.createDelegatingPasswordEncoder()
方法生成的默认 PasswordEncoder
。
- 所以您必须使用
PasswordEncoderFactories.createDelegatingPasswordEncoder()
实例的encode方法来保存用户数据的加密密码。 passwordEncoder.encode(password)
.
在数据库中保存时将其保存为 role_user 全部大写。 spring security 比较角色为 (role+ hasRole value)==db value.
我正在处理 Spring MVC 项目。我使用 Spring 安全来保护我项目的 url。当我单击登录按钮时登录成功,但在 localhost:8092/user/index
url 上出现错误 type=Forbidden, status=403
。我认为 Spring 安全中断 url.
下面是Spring Security
的代码:
CustomUserDetail
public class CustomUserDetail implements UserDetails {
private User user;
public CustomUserDetail(User user) {
super();
this.user = user;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
SimpleGrantedAuthority authority = new SimpleGrantedAuthority(user.getRole());
return List.of(authority);
}
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public String getUsername() {
return user.getEmail();
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
UserDetailsServiceImpl
public class UserDetailsServiceImpl implements UserDetailsService{
@Autowired
private UserRepo userRepo;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepo.getUserByUserName(username);
if(user == null)
{
throw new UsernameNotFoundException(username);
}
CustomUserDetail customUserDetail = new CustomUserDetail(user);
return customUserDetail;
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/user/**").hasRole("USER")
.antMatchers("/**").permitAll()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.defaultSuccessUrl("/user/index");
}
下面是Controller
@Controller
@RequestMapping("/user")
public class UserController {
@Autowired
private UserRepo userRepo;
@RequestMapping(value = "/index")
public String login(Model mdl, Principal principal)
{
User user = userRepo.getUserByUserName(principal.getName());
mdl.addAttribute("user", user);
return "user/user-dashboard";
}
}
下面是我的 user-dashboard.html
而它位于 src/main/resources/templates/user
.
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<h1> Details of User</h1>
<p th:text="${user.name}"></p>
<p th:text="${user.email}"></p>
</body>
</html>
我点击登录按钮时 url 是 http://localhost:8092/user/index
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Sat Mar 19 18:16:13 IST 2022
There was an unexpected error (type=Forbidden, status=403).
Forbidden
数据库快照:
我认为你应该检查两件事。
- 用户在数据库中的角色数据是什么?
- 我认为它应该像数据库中的 ROLE_ADMIN 一样有一个前缀“ROLE_”。
- 检查应该加密保存在数据库中的密码
- Spring security 的 DaoAuthenticationProvider 使用
PasswordEncoderFactories.createDelegatingPasswordEncoder()
方法生成的默认PasswordEncoder
。 - 所以您必须使用
PasswordEncoderFactories.createDelegatingPasswordEncoder()
实例的encode方法来保存用户数据的加密密码。passwordEncoder.encode(password)
.
在数据库中保存时将其保存为 role_user 全部大写。 spring security 比较角色为 (role+ hasRole value)==db value.