本文介绍了每当声明停止请求时,HasAnyAuthority总是让我进入API的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
通过Spring Security,我创建了一个方法:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/static/build/app.js", "/static/app/styles/*/**", "/static/app/js/*/**",
"/static/build/libs.js", "/index.html", "/static/build/*/**", "/", "/static/**").permitAll()
.antMatchers("/auth/**").permitAll()
.antMatchers("/api/user/registerClient").permitAll()
.antMatchers("/api/user/checklogin/**").permitAll()
.antMatchers("/api/user/getAllAdmins").permitAll()
.antMatchers("/api/**").hasAnyAuthority(AuthoritiesConstants.CLIENT, AuthoritiesConstants.ADMIN, AuthoritiesConstants.WORKER)
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/")
.loginProcessingUrl("/")
.permitAll();
和控制器方法示例:
@RequestMapping(value = "/api/vehicle")
@PreAuthorize("hasAnyAuthority('ADMIN', 'CLIENT')")
@RequestMapping(value = "", method = RequestMethod.GET)
public List<VehicleReservationModel> getVehiclesForClientByLogin(HttpServletRequest request) {
Principal name = request.getUserPrincipal();
if (name.getName() == null) {
throw new RuntimeException("Brak sesji");
}
if (roleService.getRoleForUserByLogin(name.getName()).toLowerCase().equals("admin")) {
return vehicleService.getAllVehicles();
} else {
List<VehicleReservationModel> vehicleList = vehicleService.getVehiclesForClientByLogin(name.getName());
if (vehicleList == null) {
throw new RuntimeException("Brak pojazdów dla klienta " + name.getName() + " - lista jest pusta");
}
return vehicleList;
}
}
每当我从
中删除ADMIN时就会出现这种情况@PreAuthorize("hasAnyAuthority('ADMIN', 'CLIENT')")
并评论:
.antMatchers("/api/**").hasAnyAuthority(AuthoritiesConstants.CLIENT, AuthoritiesConstants.ADMIN, AuthoritiesConstants.WORKER)
它始终让我进入API。我想每当我创建一些特权时,它都会起作用。为什么在上面的示例中,我的Spring Security不起作用?
更新:为了启用使用注释PreAuthorize,您需要添加:@EnableGlobalMethodSecurity(prePostEnabled = true)
推荐答案
您启用了@SecuredEnableGlobalMethodSecurity#securedEnabled:
但您必须使用EnableGlobalMethodSecurity#prePostEnabled启用@PreAuthorize:
修改后的Spring安全配置:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/static/build/app.js", "/static/app/styles/*/**", "/static/app/js/*/**",
"/static/build/libs.js", "/index.html", "/static/build/*/**", "/", "/static/**").permitAll()
.antMatchers("/auth/**").permitAll()
.antMatchers("/api/user/registerClient").permitAll()
.antMatchers("/api/user/checklogin/**").permitAll()
.antMatchers("/api/user/getAllAdmins").permitAll()
// .antMatchers("/api/**").hasAnyAuthority(AuthoritiesConstants.CLIENT, AuthoritiesConstants.ADMIN, AuthoritiesConstants.WORKER)
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/")
.loginProcessingUrl("/")
.permitAll();
这篇关于每当声明停止请求时,HasAnyAuthority总是让我进入API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!