@Override protected void configure(HttpSecurity http) throws Exception { //如果配置为需要登录 if (needLogin) { http .authorizeRequests() .antMatchers("/keepalived", "/revision","/static/**").permitAll() .antMatchers("/manager/**").hasRole("ADMIN") .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .defaultSuccessUrl("/index",true) .permitAll() .and() .logout().permitAll();
} }
配置如上所示。但是需要注意,检查的是ADMIN角色,库里存的字段要是ROLE_ADMIN,而不是ADMIN。
The HttpServletRequest.isUserInRole(String) will determine if
SecurityContextHolder.getContext().getAuthentication().getAuthorities()contains aGrantedAuthoritywith the role passed intoisUserInRole(String). Typically users should not pass in the "ROLE_" prefix into this method since it is added automatically. For example, if you want to determine if the current user has the authority "ROLE_ADMIN", you could use the following:boolean isAdmin = httpServletRequest.isUserInRole("ADMIN");This might be useful to determine if certain UI components should be displayed. For example, you might display admin links only if the current user is an admin.