spring security的UserDetailService是我自己定义的。
@Component public class MyUserDetailsService implements UserDetailsService { @Autowired private UserRepository userRepository; @Override public UserDetails loadUserByUsername(String username) { // Get user and his authority from userRepositoryMyUser.java,扒的User.javauser = userRepository.getUserByUsername(username);Set<GrantedAuthority> authorities = new HashSet<>(); user.getPermissions().forEach(r -> authorities.add(new SimpleGrantedAuthority(r.getValue())));MyUser myUser = new MyUser (username, ....); return myUser; }}
public class MyUser implements UserDetails, CredentialsContainer {...}
index.html:
<script th:inline="javascript"> /*<![CDATA[*/ var username = /*[[${name}]]*/ ''; var isAnonymous = [[${#authorization.expression('hasRole(''ROLE_ANONYMOUS'')')}]]; var isSomeAuth = [[${#authorization.expression('hasRole(''SOME_AUTH'')')}]]; var s = [[${#authorization.expression('hasRole(''ROLE_SOME_AUTH'')')}]];
从数据库获取的用户Permission,在前端怎么都拿不到,返回的结果一直false,但是通过${authentication.principal}打印的结果却能够看到。
debug发现expression方法会调用org.springframework.security.access.expression.SecurityExpressionRoot的方法hasAnyRole,这个方法会将hasRole()里的字符串加上ROLE_与UserDetails的GrantedAuthority逐个比较,因此,最简单的方法就是把数据库中权限用ROLE_开头