1. 首頁
  2. 問答
  3. Spring Boot的基於方法授權

Spring Boot的基於方法授權

2016-07-28 144 views
1

我必須將方法發佈爲休息服務。 我想在一種方法上應用基本授權安全性,以免說「gpnfeedback」。 我不想通過申請任何授權sendgpn 我如何配置SecurityConfig.java?我用以下CONFIGRATION但callling http://localhost:7071/gpns/rest/sendgpnSpring Boot的基於方法授權

控制器的時候,

@Controller 
@RequestMapping("/gpns/rest/") 
public class GpnsRestController { 

    @CrossOrigin 
    @RequestMapping(value = "/sendgpn", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE, consumes = { MediaType.MULTIPART_FORM_DATA_VALUE, MediaType.APPLICATION_JSON_VALUE }) 
    public @ResponseBody 
    GpnsResponse sendgpn(@Valid @RequestPart(value = "data", required = true) SendGpnMessageMsisdnListReq sendGpnMessageMsisdnListReq, @Valid @ModelAttribute(value = "photo") MultipartFile photo, @Valid @ModelAttribute(value = "video") MultipartFile video, 
     @Valid @ModelAttribute(value = "videothumbnail") MultipartFile videothumbnail) { 

    } 

    @RequestMapping(method = RequestMethod.POST, value = "/gpnfeedback", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) 
    public @ResponseBody 
    GpnsResponse gpnfeedback(HttpServletRequest http, @Valid @RequestBody GpnFeedbackReq gpnFeedbackReq) { 
    } 


}

安全

@Configuration 
@EnableWebSecurity(debug = true) 
@EnableGlobalMethodSecurity(securedEnabled = true) 
public class SecurityConfig extends WebSecurityConfigurerAdapter { 


    public static final String ROLE_CLIENT = "CLIENT_USER"; 

    @Autowired 
    private DatabaseAuthenticationProvider databaseAuthenticationProvider; 

    @Autowired 
    private GpnBasicAuthenticationEntryPoint basicAuthenticationEntryPoint; 

    @Override 
    public void configure(WebSecurity web) throws Exception { 
    web.ignoring().antMatchers("/soap/lb/**"); 
    } 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 

    http.csrf().disable(); 
    http.httpBasic().authenticationEntryPoint(this.basicAuthenticationEntryPoint); 
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); 


    // @formatter:off 
    http.authorizeRequests() 
     .antMatchers("/gpns/rest/gpnfeedback/**").hasRole(ROLE_CLIENT)   
     .anyRequest().authenticated().and().httpBasic(); 

    // @formatter:on 
    } 

    @Override 
    protected void configure(AuthenticationManagerBuilder builder) throws Exception { 

    //will be invoked in given order 

    builder.authenticationProvider(this.databaseAuthenticationProvider); 

    } 

}

UPDATE-1仍然有authorzation錯誤: 我已經改變了規則與f正在一個。 Althout我可以給http://localhost:7071/gpns/rest/sendgpn方法,無需任何授權,http://localhost:7071/gpns/rest/gpnfeedback不受databaseAuthenticationProvider hanled

http.authorizeRequests() 
     .antMatchers("/gpns/rest/gpnfeedback/**").hasRole(ROLE_CLIENT) 
     .antMatchers("/gpns/rest/sendgpn/**").permitAll()   
     .anyRequest().authenticated().and().httpBasic();

來源

2016-07-28 Ahmet Karakaya

回答

1

我覺得你的問題涉及到這一行配置:

.anyRequest().authenticated().and().httpBasic();

基本上,你在這裏說的是每個請求(除了被忽略)必須被認證,但你不關心它有什麼作用。嘗試使用這個來代替:

.anyRequest().permitAll().and().httpBasic()

或者,如果你希望只允許sendgpn,你可以這樣做:

http.authorizeRequests() 
     .antMatchers("/gpns/rest/gpnfeedback/**").hasRole(ROLE_CLIENT) 
     .antMatchers("/gpns/rest/sendgpn/**").permitAll()   
     .anyRequest().authenticated().and().httpBasic();

編輯 至於您的更新,我的猜測是,你以某種方式錯誤地配置了提供的或者你的數據庫中有不正確的數據。例如,如果ROLE_CLIENT的值爲「CLIENT」,那麼Spring將預期DB中的值爲「ROLE_CLIENT」 - 它將「ROLE_」前綴添加到角色。

來源

2016-07-28 11:54:44

+0

它的工作部分,我的意思是允許sendgpn,但gpnfeddback不由this.databaseAuthenticationProvider處理。 –

+0

你怎麼知道?你可以用你的細節更新這個問題,因爲這是另一個問題 –

+0

正如你所看到的,我只添加了.antMatchers(「/ gpns/rest/sendgpn/**」)。permitAll()根據你的建議,它允許在沒有授權的情況下調用sendgpn方法,但爲什麼gpnfeedback方法不由databaseAuthenticationProvider處理? –

相關問題

 相關問題