sec授权它不适用于spring security

Question

我正在尝试将我的 SpringMVC 和 Thymeleaf 项目与 Spring Security 集成。我发现这个问题很常见，但我尝试了解决方案，没有人适合我。

我将 org.thymeleaf.spring4.SpringTemplateEngine 类添加到我的配置中，但它不起作用。

spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-4.2.xsd">


<http auto-config="true" use-expressions="true">  
    <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
</http>


    <authentication-manager>  
      <authentication-provider>  
        <user-service>  
        <user name="usuario" password="123456" authorities="ROLE_USER" />  
        </user-service>  
        <password-encoder ref="passwordEncoder" />
      </authentication-provider>  
    </authentication-manager>  

<beans:bean id ="passwordEncoder" 
class = "org.springframework.security.crypto.password.NoOpPasswordEncoder" factory-method = "getInstance" />

<beans:bean id="templateEngine" class="org.thymeleaf.spring4.SpringTemplateEngine">
  <beans:property name="additionalDialects">
    <beans:set>
      <beans:bean class="org.thymeleaf.extras.springsecurity4.dialect.SpringSecurityDialect"/>
    </beans:set>
  </beans:property>
</beans:bean>

</beans:beans>

页面：

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">


<head>      
    <title>Home</title>

</head>

<body

    <div sec:authorize="hasRole('ROLE_USER')">Text visible to user.</div>
    <div sec:authorize="hasRole('ROLE_ADMIN')">Text visible to admin.</div>
        <div sec:authorize="isAuthenticated()">
            Text visible only to authenticated users.
        </div>
        <h4>Spring security.</h4>

</body>

</html>

pom.xml

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>5.0.0.RELEASE</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>5.0.0.RELEASE</version>
    </dependency>

    <dependency>
        <groupId>org.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-springsecurity4</artifactId>
        <version>3.0.3.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-core</artifactId>
        <version>5.0.0.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.thymeleaf</groupId>
    <artifactId>thymeleaf</artifactId>
    <version>3.0.9.RELEASE</version>
</dependency>
    <dependency>
    <groupId>org.thymeleaf</groupId>
    <artifactId>thymeleaf-spring4</artifactId>
    <version>3.0.9.RELEASE</version>
</dependency>

它会在您登录之前向用户显示所有这些内容。 拜托，你能帮帮我吗？

Answer 1

这是版本问题。

页面：

xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity5"
        :
<div sec:authorize="hasAuthority('ROLE_USER')">..</div>

pom.xml

<dependency>
    <groupId>org.thymeleaf</groupId>
    <artifactId>thymeleaf-spring5</artifactId>
    <version>3.0.11.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.thymeleaf.extras</groupId>
    <artifactId>thymeleaf-extras-springsecurity5</artifactId>
    <version>3.0.4.RELEASE</version>
</dependency>

Answer 2

您是否尝试过使用 hasAuthority 而不是 hasRole？

sec:authorize="hasAuthority('ADMIN')"

看来，hasRole 不适用于 Spring 4。