gpt4 book ai didi

java - Spring Boot Security hasRole 被忽略

转载 作者:塔克拉玛干 更新时间:2023-11-02 19:21:55 24 4
gpt4 key购买 nike

我正在尝试保护我的 spring boot 应用程序 (1.21) 的一些 urlpattern看起来我的 antMatchers("/report**").hasRole("REPORT") 被忽略了。我更改了我的 antMatchers 的顺序,但这没有任何改变。

例如如果我浏览到 localhost:9000/report/books 之类的内容,我需要登录,它仅适用于我的用户名密码组合,但我没有将 ROLE REPORT 设置为我的用户“用户”。所以我希望我不能访问报告站点,但会显示该页面。

我该如何更改它,只有具有角色 REPORT 的用户才能访问该 url?

EDIT1 更新源文件

应用程序.java

@SpringBootApplication
@EnableTransactionManagement
public class Application {

public static void main(String[] args) {
@SuppressWarnings("unused")
ApplicationContext ctx = SpringApplication.run(Application.class, args);
}
}

MvcConfig.java

@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {

@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
}

@Bean
public EmbeddedServletContainerCustomizer containerCustomizer(){
return new MyCustomizer();
}

private static class MyCustomizer implements EmbeddedServletContainerCustomizer {

@Override
public void customize(ConfigurableEmbeddedServletContainer factory) {
factory.addErrorPages(new ErrorPage(HttpStatus.NOT_FOUND, "/error/404"));
factory.addErrorPages(new ErrorPage(Exception.class, "/error/exception"));
}

}

@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/error/**").addResourceLocations("classpath:/static/");
registry.addResourceHandler("/static/**").addResourceLocations("classpath:/static/");
registry.addResourceHandler("/css/**").addResourceLocations("classpath:/static/css/");
registry.addResourceHandler("/images/**").addResourceLocations("classpath:/static/images/");
registry.addResourceHandler("/js/**").addResourceLocations("classpath:/static/js/");
}

}

WebSecurityConfig.java

@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {


http.sessionManagement().enableSessionUrlRewriting(false);

http
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/report**").hasRole("REPORT")
.anyRequest().fullyAuthenticated();

}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {

auth
.inMemoryAuthentication()
.withUser("user").password("user").roles("USER").and()
.withUser("admin").password("admin").roles("ADMIN");
}

}

最佳答案

我需要更改以下内容:

  1. 将/report**改为/report/**
  2. 添加 .and().exceptionHandling().accessDeniedPage("/error/403");
  3. 也许它可以在没有@Order 的情况下工作,但我在 spring boot 示例中看到了它
  4. (/error/403 必须映射到错误页面)

网络安全配置

@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {


http.sessionManagement().enableSessionUrlRewriting(false);

http
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/report/**").hasRole("REPORT")
.anyRequest().fullyAuthenticated()
.and().exceptionHandling().accessDeniedPage("/error/403");

}

@Override
@Order(Ordered.HIGHEST_PRECEDENCE)
protected void configure(AuthenticationManagerBuilder auth) throws Exception {

auth
.inMemoryAuthentication()
.withUser("user").password("user").roles("USER").and()
.withUser("admin").password("admin").roles("ADMIN","REPORT");
}

}

关于java - Spring Boot Security hasRole 被忽略,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/27869270/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com