身份验证 – 不起作用

2023年4月7日 253次阅读

我有以下用户xhtml页面：

<html xmlns="http://www.w3.org/1999/xhtml"
    xmlns:h="http://java.sun.com/jsf/html"
    xmlns:f="http://java.sun.com/jsf/core"
    xmlns:p="http://primefaces.org/ui"
    xmlns:sec="http://www.springframework.org/security/tags">
<head>
<title>User</title>
</head>

<body>
    <p>User</p>
    <sec:authorize access="hasRole('ROLE_ADMIN')">
        <p>Only admin can see this !</p>
    </sec:authorize>
</body>
</html>

但是当我使用没有角色ROLE_ADMIN的用户访问该页面时,他仍然可以看到“只有管理员可以看到这个！”

编辑：

这是我的spring安全配置：

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:p="http://www.springframework.org/schema/p" xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-3.2.xsd
        http://www.springframework.org/schema/util 
        http://www.springframework.org/schema/util/spring-util-3.2.xsd">

    <http pattern="/resources" security="none" />

    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/login**" access="permitAll" />

        <intercept-url pattern="/denied**" access="permitAll" />
        <intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />
        <intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')" />


        <form-login login-page="/login.xhtml"
            authentication-failure-url="/denied.xhtml"
            authentication-success-handler-ref="securityAuthenticationSuccessHandler" />

        <access-denied-handler error-page="/denied.xhtml" />

        <logout logout-success-url="/login.xhtml" delete-cookies="JSESSIONID"
            invalidate-session="true" />
    </http>

    <authentication-manager>
        <authentication-provider user-service-ref="securityProviderServiceImpl">
            <password-encoder hash="md5" />
        </authentication-provider>
    </authentication-manager>
</beans:beans>

它有什么问题吗？

谢谢..

编辑2：

我对安全标记lib“xmlns：sec =”http://www.springframework.org/security/tags“”发出警告

NLS missing message: CANNOT_FIND_FACELET_TAGLIB in: org.eclipse.jst.jsf.core.validation.internal.facelet.messages

那很重要么？这是问题的原因吗？

我的maven安全依赖项：

        <dependency>
                <groupId>org.springframework.security</groupId>
                <artifactId>spring-security-core</artifactId>
                <version>${org.springframework.security.version}</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>${org.springframework.security.version}</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>${org.springframework.security.version}</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-taglibs</artifactId>
            <version>${org.springframework.security.version}</version>
        </dependency>

最佳答案最后我解决了这个问题.

以下链接对我有很大帮助：

1)“Amreesh Tyagi”的答案在这里How to use the Spring Security Facelets tag library in JSF.

和

2)本文第http://doanduyhai.wordpress.com/2012/02/26/spring-security-part-v-security-tags/页的第3部分(Facelet的III安全标签)

我使用了Amreesh Tyagi的springsecurity.taglib.xml文件而不是文章中的一篇,因为我遇到了访问函数的问题.