无论是否登录,每一个<div>都sec:authentication="..."显示。即使是显式也会false导致div出现。另一方面<div>s withsec:authorize="..."是隐藏的,即使是显式的true.我曾尝试检查 Maven 依赖项、Spring MVC 配置、Spring Security DialectServletContextConfig和许多其他答案,但没有解决方案适用于我的情况。索引.html:<!DOCTYPE html><html xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4"><head> <meta charset="UTF-8"/> <title>blah blah</title> <link href="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" rel="stylesheet"/></head><body style="text-align: center;"> <div sec:authentication="true"> authentication - always</div><div sec:authentication="false"> authentication - never</div><div class="container" sec:authentication="isAnonymous()"> authentication - anonymous</div><div class="container" sec:authentication="!isAnonymous()"> authentication - not anonymous</div><div class="container" sec:authentication="isAuthenticated()"> authentication - authenticated</div><div class="container" sec:authentication="!isAuthenticated()"> authentication - not authenticated</div><div sec:authorize="true"> authorize - always</div><div sec:authorize="false"> authorize - never</div><div class="container" sec:authorize="isAnonymous()"> authorize - anonymous</div><div class="container" sec:authorize="!isAnonymous()"> authorize - not anonymous</div><div class="container" sec:authorize="isAuthenticated()"> authorize - authenticated</div><div class="container" sec:authorize="!isAuthenticated()"> authorize - not authenticated</div>预期结果(未登录时):身份验证 - 始终身份验证 - 匿名认证 - 未认证授权 - 始终授权 - 匿名授权 - 未认证用户名:匿名40实际结果:身份验证 - 始终身份验证 - 从不身份验证 - 匿名身份验证 - 非匿名身份验证 - 经过身份验证认证 - 未认证用户名:40
2 回答
慕的地10843
TA贡献1785条经验 获得超8个赞
就我而言,使用“Spring Security 5”和“thymeleaf-extras-springsecurity4”导致了这个问题。如果您使用的是 Spring Security 5,请改用“thymeleaf-extras-springsecurity5”。(最近发布了“thymeleaf-extras-springsecurity5”)
慕田峪4524236
TA贡献1875条经验 获得超5个赞
通过挖掘越来越多的解决方案,我找到了一个适合我的解决方案:
不能有
web.ignoring().antMatchers("/");at 之类的东西SecurityConfig.configure()。
即,您要应用“授权过滤器”的页面不得设置为被安全忽略。使用
sec:authorize,而不是sec:authentication(这会导致误差)index.html。
工作index.html:
<!DOCTYPE html>
<html
xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
<head>
<meta charset="UTF-8"/>
<title>bla bla bla</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" rel="stylesheet"/>
</head>
<body style="text-align: center;">
<div sec:authorize="true">
authorize - always
</div>
<div sec:authorize="false">
authorize - never
</div>
<div class="container" sec:authorize="isAnonymous()">
authorize - anonymous
</div>
<div class="container" sec:authorize="!isAnonymous()">
authorize - not anonymous
</div>
<div class="container" sec:authorize="isAuthenticated()">
authorize - authenticated
</div>
<div class="container" sec:authorize="!isAuthenticated()">
authorize - not authenticated
</div>
<strong> Username: <span sec:authentication="name"></span> </strong>
<div th:text="${#authorization.getAuthentication()}">1</div>
<div th:text="${40}">1</div>
<!-- end of content! -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js"></script>
</body>
</html>
结果:(登录时)
授权 - 始终
授权 - 非匿名
授权 - 认证
用户名:test2
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@00000000:委托人:....
40
(未登录时)
授权 - 始终
授权 - 匿名
授权 - 未认证
用户名:anonymousUser
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@00000000:委托人:....
40
添加回答
举报
0/150
提交
取消