Python中文网

一个关于 编程问题的解答网站.

有 Java 编程相关的问题?

你可以在下面搜索框中键入要查询的问题!

mongodb后授权和预授权不起作用的java spring引导安全性

2 周 Questions & Answers

身份验证正在工作,但授权无效。请帮忙,我找不到哪里出了问题

控制器

@RestController
@RequestMapping("/v1/user")
public class UserController {

    @PostAuthorize("hasRole('ROLE_ADMIN')") //@PreAuthorize("hasRole('ROLE_ADMIN')"), both are not working
    @RequestMapping(method = RequestMethod.DELETE)
    @ResponseStatus(HttpStatus.NO_CONTENT)
    public void deleteUser() {
        log.debug("Only Admin can access this");

        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        System.out.println("User name "+auth.getName()); //prints - User name pratap
        System.out.println("User Authorities "+auth.getAuthorities()); // prints - User Authorities [ADMIN]
    }
}

安全配置。java

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private CustomUserDetailsService customUserDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests().anyRequest().fullyAuthenticated().and().
                httpBasic().and().
                csrf().disable();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(customUserDetailsService);
    }
}

CustomUserDetails服务。java

@Service
public class CustomUserDetailsService implements UserDetailsService {

    @Autowired
    private UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userRepository.findByUsername(username);
        System.out.println("username "+user.getUsername());
        if(user != null) {
            return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), true, true, true, true,
                    AuthorityUtils.createAuthorityList("ADMIN"));
        } else {
            throw new UsernameNotFoundException("could not find the user '"
                    + username + "'");
        }
    }
}

错误:

{
  "timestamp": 1472789456591,
  "status": 403,
  "error": "Forbidden",
  "message": "Access is denied",
  "path": "/v1/user/pratap"
}

共 (1) 个答案

  1. # 1 楼答案

    我明白了。添加角色时,应以“角色”作为前缀

    AuthorityUtils.createAuthorityList("ROLE_ADMIN", "ROLE_USER"));

    在@PreAuthorize中,它应该没有前缀“ROLE_2;”

    @PreAuthorize("hasRole('ADMIN')")