我的彈簧安全實作有問題。我有一些 UserDetails 和 UserDetailsS??ervice 的基本配置。我已經使用 WebSecurityConfigurerAdapter 完成了一些端點和一些安全配置。在 chrome 上一切正常 - 如果您嘗試訪問安全端點,安全配置會將您重定向到登錄表單,登錄后將您重定向到您的 /api。但是在郵遞員中,即使發送 GET 請求授權也不起作用,您可以獲取所有資料的回應,這些資料僅適用于管理員或授權后。
這是我的安全配置
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.transaction.annotation.EnableTransactionManagement;
@Configuration
@EnableWebSecurity
@EnableTransactionManagement
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
AuthenticationSuccessHandler successHandler;
@Autowired
UserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http./*sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).
and().*/
authorizeRequests()
.antMatchers("/api/players").hasAnyRole("ADMIN")
.antMatchers("/api/organizers").hasAnyRole("ADMIN")
.antMatchers("/api/events").permitAll()
.antMatchers("/h2-console/**").permitAll()
.and()
.formLogin()
.successHandler(successHandler)
.permitAll()
.and()
.logout()
.permitAll()
/*.and()
.csrf().disable()*/;
}
@Bean
public PasswordEncoder getPasswordEncoder() {return NoOpPasswordEncoder.getInstance();}
}
和示例 GET 端點的配置
@RestController
@RequestMapping(value="/api",produces = MediaType.APPLICATION_JSON_VALUE)
@RequiredArgsConstructor
public class UserViewRestContoller {
@NonNull
private final UserQuery query;
@GetMapping(value="/players")
@PreAuthorize("hasRole('ADMIN')")
List<PlayerView> getPlayers() {
return query.listPlayers();
}
@GetMapping(value="players/{userId}",produces = MediaType.APPLICATION_JSON_VALUE)
@PreAuthorize("#userId == authentication.principal.userId or hasRole('ADMIN')")
PlayerDetails getPlayer(@PathVariable UUID userId){
return query.getPlayerDetails(userId);
}
所以在瀏覽器訪問 /api/players 你會看到
并在郵遞員
uj5u.com熱心網友回復:
您是否啟用了全域方法安全性?
@EnableGlobalMethodSecurity(
prePostEnabled = true,
securedEnabled = true,
jsr250Enabled = true)
此外,我在代碼中沒有看到任何 JWT 令牌實作。您如何獲得管理員角色并對其進行授權。您從哪里獲得管理員角色?
uj5u.com熱心網友回復:
好的,我發現了 antMatchers 定義中的一個問題。
.antMatchers("/api/players")
僅保護 /api/players
不是 /api/players/ 和 /api/players/**
正確的螞蟻匹配器應該是
.antMatchers("/api/players/**").hasAnyRole("ADMIN")
轉載請註明出處,本文鏈接:https://www.uj5u.com/shujuku/346845.html
上一篇:為什么雙向多對一會導致Hibernate中的回圈依賴?
下一篇:MappedInterceptorBean與WebMvcConfigureraddInterceptors。添加SpringHandlerInterceptor的正確(現代)方法是什么?