个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
24
4
通过 Spring Security 我创建了一个方法:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/static/build/app.js", "/static/app/styles/*/**", "/static/app/js/*/**",
"/static/build/libs.js", "/index.html", "/static/build/*/**", "/", "/static/**").permitAll()
.antMatchers("/auth/**").permitAll()
.antMatchers("/api/user/registerClient").permitAll()
.antMatchers("/api/user/checklogin/**").permitAll()
.antMatchers("/api/user/getAllAdmins").permitAll()
.antMatchers("/api/**").hasAnyAuthority(AuthoritiesConstants.CLIENT, AuthoritiesConstants.ADMIN, AuthoritiesConstants.WORKER)
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/")
.loginProcessingUrl("/")
.permitAll();
Controller 方法示例:
@RequestMapping(value = "/api/vehicle")
@PreAuthorize("hasAnyAuthority('ADMIN', 'CLIENT')")
@RequestMapping(value = "", method = RequestMethod.GET)
public List<VehicleReservationModel> getVehiclesForClientByLogin(HttpServletRequest request) {
Principal name = request.getUserPrincipal();
if (name.getName() == null) {
throw new RuntimeException("Brak sesji");
}
if (roleService.getRoleForUserByLogin(name.getName()).toLowerCase().equals("admin")) {
return vehicleService.getAllVehicles();
} else {
List<VehicleReservationModel> vehicleList = vehicleService.getVehiclesForClientByLogin(name.getName());
if (vehicleList == null) {
throw new RuntimeException("Brak pojazdów dla klienta " + name.getName() + " - lista jest pusta");
}
return vehicleList;
}
}
这种情况是每当我从
中删除ADMIN时
@PreAuthorize("hasAnyAuthority('ADMIN', 'CLIENT')")
和评论:
.antMatchers("/api/**").hasAnyAuthority(AuthoritiesConstants.CLIENT, AuthoritiesConstants.ADMIN, AuthoritiesConstants.WORKER)
它总是让我进入API。我想每当我创造一些特权时,它总是会起作用的。为什么在上面的例子中我的 Spring Security 不起作用?
更新:答案是启用使用注释 PreAuthorize 您需要添加:@EnableGlobalMethodSecurity(prePostEnabled = true)
最佳答案
您启用了@Secured与 EnableGlobalMethodSecurity#securedEnabled :
Determines if Spring Security's Secured annotations should be enabled.
但您必须启用 @PreAuthorize与 EnableGlobalMethodSecurity#prePostEnabled :
Determines if Spring Security's pre post annotations should be enabled. Default is false.
您修改后的 Spring Security 配置:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/static/build/app.js", "/static/app/styles/*/**", "/static/app/js/*/**",
"/static/build/libs.js", "/index.html", "/static/build/*/**", "/", "/static/**").permitAll()
.antMatchers("/auth/**").permitAll()
.antMatchers("/api/user/registerClient").permitAll()
.antMatchers("/api/user/checklogin/**").permitAll()
.antMatchers("/api/user/getAllAdmins").permitAll()
// .antMatchers("/api/**").hasAnyAuthority(AuthoritiesConstants.CLIENT, AuthoritiesConstants.ADMIN, AuthoritiesConstants.WORKER)
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/")
.loginProcessingUrl("/")
.permitAll();
关于authentication - 每当声明停止请求时,HasAnyAuthority 总是让我进入 api,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/43419739/
24
4
0
通过 Spring Security 我创建了一个方法: @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(securedEn
通过 Spring Security 我创建了一个方法: @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(securedEn
我的 Controller 类如下: @PostMapping(path="/users/{id}") @PreAuthorize("hasAnyAuthority('CAN_READ')"
我是一名优秀的程序员,十分优秀!