Spring Boot基于角色的认证
我有一个关于基于Spring Boot角色的身份validation的问题。 基本上,我想有用户和管理员,我想阻止用户访问管理资源。 所以我创建了一个SecurityConfig类:
package test; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity; @Configuration @EnableWebMvcSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("user1").password("password1").roles("USER, ADMIN") .and() .withUser("user2").password("password2").roles("USER"); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/service/test").access("hasRole('USER') or hasRole('ADMIN')") .antMatchers("/service/admin").access("hasRole('ADMIN')"); } } 这是我的小REST服务:
package test; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RestController; @RestController @RequestMapping("/service") public class RestService { @RequestMapping(value = "/test", method = RequestMethod.GET) public String echo() { return "This is a test"; } @RequestMapping(value = "/admin", method = RequestMethod.GET) public String admin() { return "admin page"; } }
我的应用类:
package test; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.EnableAutoConfiguration; import org.springframework.boot.autoconfigure.SpringBootApplication; @SpringBootApplication @EnableAutoConfiguration public class Application { public static void main(String[] args) { SpringApplication.run(Application.class, args); } }
不幸的是,在执行“curl user1:password1 @ localhost:8080 / service / admin”时,我总是收到403“禁止/访问被拒绝”错误消息…我在配置方法中是否遗漏了什么?
非常感谢你提前!
你能检查一下吗?
withUser("user1").password("password1").roles("USER", "ADMIN")
在单独的qoutes中写“USER”和“ADMIN”。
我通过以下方式更改它,现在它似乎正在工作:
@Configuration @EnableWebMvcSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("user1").password("password1").roles("USER", "ADMIN") .and() .withUser("user2").password("password2").roles("USER"); } @Override protected void configure(HttpSecurity http) throws Exception { http.formLogin().permitAll() .and() .authorizeRequests() .antMatchers("/service/test").hasAnyRole("USER", "ADMIN") .antMatchers("/service/admin").hasRole("ADMIN") .anyRequest().authenticated(); } }
非常感谢您的回答!
以下设置适用于我的春季启动应用程序:
http.authorizeRequests() .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()//allow CORS option calls .antMatchers("/home", "/").hasAnyAuthority(Role.ROLE_ADMIN, Role.ROLE_USER) .antMatchers("/admin").hasAuthority(Role.ROLE_ADMIN)enter code here