@Override protected void configure(HttpSecurity http) throws Exception { //如果配置为需要登录 if (needLogin) { http .authorizeRequests() .antMatchers("/keepalived", "/revision","/static/**").permitAll() .antMatchers("/manager/**").hasRole("ADMIN") .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .defaultSuccessUrl("/index",true) .permitAll() .and() .logout().permitAll();
} }
配置如上所示。但是需要注意,检查的是ADMIN角色,库里存的字段要是ROLE_ADMIN,而不是ADMIN。
The HttpServletRequest.isUserInRole(String) will determine if
SecurityContextHolder.getContext().getAuthentication().getAuthorities()contains aGrantedAuthoritywith the role passed intoisUserInRole(String). Typically users should not pass in the "ROLE_" prefix into this method since it is added automatically. For example, if you want to determine if the current user has the authority "ROLE_ADMIN", you could use the following:boolean isAdmin = httpServletRequest.isUserInRole("ADMIN");This might be useful to determine if certain UI components should be displayed. For example, you might display admin links only if the current user is an admin.
Spring Boot Security 基于角色的访问控制
原文:http://www.cnblogs.com/csonezp/p/7017948.html