spring security + thymeleaf 判斷登錄用戶的權限

spring security的UserDetailService是我自己定義的。

@Component
public class MyUserDetailsService implements UserDetailsService {
    
    @Autowired
    private UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String username) {
        // Get user and his authority from userRepository
        user = userRepository.getUserByUsername(username);
	Set<GrantedAuthority> authorities = new HashSet<>();
        user.getPermissions().forEach(r -> authorities.add(new SimpleGrantedAuthority(r.getValue())));
MyUser myUser = new MyUser (username, ....); return myUser; }} MyUser.java,扒的User.java

public class MyUser implements UserDetails, CredentialsContainer {...}

index.html:

<script th:inline="javascript">
    /*<![CDATA[*/
    var username = /*[[${name}]]*/ '';
    var isAnonymous = [[${#authorization.expression('hasRole(''ROLE_ANONYMOUS'')')}]];
    var isSomeAuth = [[${#authorization.expression('hasRole(''SOME_AUTH'')')}]];
    var s = [[${#authorization.expression('hasRole(''ROLE_SOME_AUTH'')')}]];

從數據庫獲取的用戶Permission,在前端怎麼都拿不到,返回的結果一直false,但是通過${authentication.principal}打印的結果卻能夠看到。

debug發現expression方法會調用org.springframework.security.access.expression.SecurityExpressionRoot的方法hasAnyRole,這個方法會將hasRole()裏的字符串加上ROLE_與UserDetails的GrantedAuthority逐個比較,因此,最簡單的方法就是把數據庫中權限用ROLE_開頭

發佈了43 篇原創文章 · 獲贊 6 · 訪問量 8萬+
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章