1. 首頁
  2. 問答
  3. HasAnyAuthority總是讓我在進入API時,它被宣佈停止

HasAnyAuthority總是讓我在進入API時,它被宣佈停止

2017-04-14 555 views
1

通過Spring Security的去我創建了一個方法的要求:HasAnyAuthority總是讓我在進入API時,它被宣佈停止

@Configuration 
@EnableWebSecurity 
@EnableGlobalMethodSecurity(securedEnabled = true) 
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 
    @Autowired 
    private UserDetailsService userDetailsService; 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 

     http 
      .csrf().disable() 
      .authorizeRequests() 
       .antMatchers("/static/build/app.js", "/static/app/styles/*/**", "/static/app/js/*/**", 
         "/static/build/libs.js", "/index.html", "/static/build/*/**", "/", "/static/**").permitAll() 
       .antMatchers("/auth/**").permitAll() 
       .antMatchers("/api/user/registerClient").permitAll() 
       .antMatchers("/api/user/checklogin/**").permitAll() 
       .antMatchers("/api/user/getAllAdmins").permitAll() 
       .antMatchers("/api/**").hasAnyAuthority(AuthoritiesConstants.CLIENT, AuthoritiesConstants.ADMIN, AuthoritiesConstants.WORKER) 
       .anyRequest().authenticated() 
       .and() 
      .formLogin() 
       .loginPage("/") 
       .loginProcessingUrl("/") 
       .permitAll();

而且例如控制器的方法:

@RequestMapping(value = "/api/vehicle") 
@PreAuthorize("hasAnyAuthority('ADMIN', 'CLIENT')") 
@RequestMapping(value = "", method = RequestMethod.GET) 
public List<VehicleReservationModel> getVehiclesForClientByLogin(HttpServletRequest request) { 
    Principal name = request.getUserPrincipal(); 
    if (name.getName() == null) { 
     throw new RuntimeException("Brak sesji"); 
    } 
    if (roleService.getRoleForUserByLogin(name.getName()).toLowerCase().equals("admin")) { 
     return vehicleService.getAllVehicles(); 
    } else { 
     List<VehicleReservationModel> vehicleList = vehicleService.getVehiclesForClientByLogin(name.getName()); 
     if (vehicleList == null) { 
      throw new RuntimeException("Brak pojazdów dla klienta " + name.getName() + " - lista jest pusta"); 
     } 
     return vehicleList; 
    } 
}

的情況是每當我刪除ADMIN

@PreAuthorize("hasAnyAuthority('ADMIN', 'CLIENT')")

和評論:

.antMatchers("/api/**").hasAnyAuthority(AuthoritiesConstants.CLIENT, AuthoritiesConstants.ADMIN, AuthoritiesConstants.WORKER)

it always讓我進入API。我想每當我創造一些privilidges,它將始終工作。爲什麼在上面的例子中我的Spring Security不起作用?

UPDATE: 的answear是讓使用註釋PreAuthorize您需要添加: @EnableGlobalMethodSecurity(prePostEnabled = true)

來源

2017-04-14 bielas

回答

2

你跟EnableGlobalMethodSecurity#securedEnabled啓用@Secured

確定是否Spring Security的擔保註解應該啓用。

,但你必須啓用@PreAuthorizeEnableGlobalMethodSecurity#prePostEnabled

確定是否Spring Security的預後的註釋應該啓用。默認爲false。

修改後的春季安全配置:

@Configuration 
@EnableWebSecurity 
@EnableGlobalMethodSecurity(prePostEnabled = true) 
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 
    @Autowired 
    private UserDetailsService userDetailsService; 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 

     http 
      .csrf().disable() 
      .authorizeRequests() 
       .antMatchers("/static/build/app.js", "/static/app/styles/*/**", "/static/app/js/*/**", 
        "/static/build/libs.js", "/index.html", "/static/build/*/**", "/", "/static/**").permitAll() 
       .antMatchers("/auth/**").permitAll() 
       .antMatchers("/api/user/registerClient").permitAll() 
       .antMatchers("/api/user/checklogin/**").permitAll() 
       .antMatchers("/api/user/getAllAdmins").permitAll() 
       // .antMatchers("/api/**").hasAnyAuthority(AuthoritiesConstants.CLIENT, AuthoritiesConstants.ADMIN, AuthoritiesConstants.WORKER) 
       .anyRequest().authenticated() 
       .and() 
      .formLogin() 
       .loginPage("/") 
       .loginProcessingUrl("/") 
       .permitAll();

來源

2017-04-15 13:59:02 dur

相關問題

 相關問題