java Spring引导安全配置不能与角色/权限一起正常工作
我的弹簧靴有问题。安全配置不工作
configure
方法如下所示:
@Override
public void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.csrf()
.disable()
.authorizeRequests()
.antMatchers(ApplicationConstants.API_PREFIX + "/authenticate").permitAll()
.antMatchers(ApplicationConstants.API_PREFIX + "/register").permitAll()
.antMatchers(ApplicationConstants.API_PREFIX + "/activate").permitAll()
.antMatchers(ApplicationConstants.API_PREFIX + "/consentTypes").permitAll()
.antMatchers(ApplicationConstants.API_PREFIX + "/**").fullyAuthenticated()
.antMatchers(ApplicationConstants.API_PREFIX + "/onboard/**", "/user/me").hasAnyAuthority(ApplicationConstants.USER, ApplicationConstants.ADMIN, ApplicationConstants.SUPER_ADMIN)
.antMatchers(ApplicationConstants.API_PREFIX + "/consentType/**", "/consentType").hasAnyAuthority(ApplicationConstants.ADMIN, ApplicationConstants.SUPER_ADMIN)
.antMatchers(ApplicationConstants.API_PREFIX + "/register/admin").hasAnyAuthority(ApplicationConstants.ADMIN, ApplicationConstants.SUPER_ADMIN)
.antMatchers(ApplicationConstants.API_PREFIX + "/user/all").hasAnyAuthority(ApplicationConstants.ADMIN, ApplicationConstants.SUPER_ADMIN)
.antMatchers(ApplicationConstants.API_PREFIX + "/register/superAdmin").hasAuthority(ApplicationConstants.SUPER_ADMIN)
.and()
.addFilter(new JwtAuthorizationFilter(authenticationManager(), tokenProvider)).antMatcher("/**")
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
ApplicationConstants
类如下所示:
public class ApplicationConstants {
public static final String API_PREFIX = "/api/v1";
public static final String SPRING_PROFILE_TEST = "test";
public static final String SPRING_PROFILE_DEV = "dev";
public static final String USER = "USER";
public static final String ADMIN = "ADMIN";
public static final String SUPER_ADMIN = "SUPER_ADMIN";
private ApplicationConstants() {
}
}
这种配置以某种方式允许USER
创建新的同意类型(它不应该这样做),让所有用户(/user/all
)知道他不应该访问哪个操作
我尝试了一些方法,我用ROLE_
作为authority常量的前缀,我尝试了许多antMatcher
模式的组合,等等。没有任何帮助。我会做错什么?安全性是基于JWT的,它似乎正确地提供了角色名称。它自己添加了一个ROLE_
前缀,所以我从常量中删除了前缀,什么都没有
共 (0) 个答案