[英]Spring Boot with embedded Tomcat ignores Method Roles
i use Spring Boot 1.2.1 with embedded Tomcat and Spring Boot Starter Security. 我将Spring Boot 1.2.1与嵌入式Tomcat和Spring Boot Starter Security结合使用。 Furthermore I use a RestController for some webservices and I want that only certain users with certain roles can access the webservices.
此外,我将RestController用于某些Web服务,并且我希望只有具有特定角色的某些用户才能访问Web服务。 But it does not work, the security does not use the RoleVoter to check the roles.
但是它不起作用,安全性不使用RoleVoter来检查角色。 With the following example the user "user" can access the webservices although he hasnt the right roles!
在以下示例中,用户“用户”尽管没有正确的角色,但仍可以访问Web服务!
First my application configuration 首先我的应用程序配置
@Configuration
@EnableJms
@ImportResource( "classpath:net/bull/javamelody/monitoring-spring.xml" )
@EnableAspectJAutoProxy
@ComponentScan
@PropertySource( "classpath:application.properties" )
@EnableAutoConfiguration
@EnableGlobalMethodSecurity( securedEnabled = true )
public class ItemConfiguration { ... }
Now my security configuration 现在我的安全配置
@Configuration
@EnableWebSecurity
@Order( SecurityProperties.ACCESS_OVERRIDE_ORDER )
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure( AuthenticationManagerBuilder auth ) throws Exception {
auth.inMemoryAuthentication().withUser( "user" ).password( "password" ).roles( "USER" );
}
@Override
protected void configure( HttpSecurity http ) throws Exception {
http.authorizeRequests().anyRequest().fullyAuthenticated();
http.httpBasic();
http.csrf().disable();
}
}
The Restcontroller 休息控制器
@RestController
public class QueryController {
@Secured( { "ROLE_ADMIN" } )
@RequestMapping( value = "/", method = { POST }, consumes = { MediaType.APPLICATION_JSON_VALUE },
produces = MediaType.APPLICATION_JSON_VALUE )
ResponseEntity< List< BaseEntity > > query( @RequestBody @Valid final ItemQueryRequestData request )
throws Exception {
return new ResponseEntity<>( "", HttpStatus.OK );
}
}
application.properties application.properties
spring.data.mongodb.database = item
spring.data.mongodb.host = ${MONGODB_URI:pimpoc01}
spring.data.mongodb.port = ${MONGODB_PORT:27017}
spring.activemq.broker-url=${BROKER_URL:tcp://pimpoc01:61616}
spring.activemq.user=
spring.activemq.password=
spring.activemq.pooled=true
queue.item.in.channelId = item-in
queue.item.in.concurrentConsumers = 1
queue.item.in.destination = item-in
queue.itemOption.in.channelId = itemOption-in
queue.itemOption.in.concurrentConsumers = 1
queue.itemOption.in.destination = itemOption-in
queue.style.in.channelId = style-in
queue.style.in.concurrentConsumers = 1
queue.style.in.destination = style-in
queue.concurrentConsumers = 50
queue.dataCreation.response = dataCreationResponse
queue.structureAttributeValue.in.channelId = structureAttributeValue-in
queue.structureAttributeValue.in.concurrentConsumers = 1
queue.structureAttributeValue.in.destination = structureAttributeValue-in
validation.endpoint = ${VALIDATOR_URI:http://pimpoc01:8080/validator}
Thanks for any help! 谢谢你的帮助!
Remove the below line from security configuration. 从安全配置中删除以下行。 I think
@Order
annotation is overriding the basic authentication. 我认为
@Order
批注覆盖了基本身份验证。
@Order( SecurityProperties.ACCESS_OVERRIDE_ORDER )
我遇到了类似的问题,并通过将我的控制器方法QueryController.query
公共,即使QueryController.query
方法为public
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.