如何在Spring Boot Application中添加方法级别身份验证？

Question

I am working on spring boot application, My requirement is to add Method level security to access data. I am facing problem when I add @PreAuthorize in my controller it redirect to error page when I access any method of this controller.

My WebSecurityConfigurerAdapter is

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Value("${app.secret}")
private String applicationSecret;

@Autowired
private UserDetailsService userDetailsService;

@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
}

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests().antMatchers("/", "contactus", "aboutus", "gallery", "signup").permitAll()
            .antMatchers("/user/register").permitAll()          
            .antMatchers("/user/autologin")
            .access("hasRole('ROLE_ADMIN') or hasRole('ROLE_SUPER') or hasRole('ROLE_USER')")
            .antMatchers("/user/delete").access("hasRole('ROLE_ADMIN')").antMatchers("/user/**")
            .access("hasRole('ROLE_ADMIN') or hasRole('ROLE_SUPER') or hasRole('ROLE_USER')")
            .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')").antMatchers("/super/**")
            .access("hasRole('ROLE_ADMIN') or hasRole('ROLE_SUPER')");
            http.formLogin().failureUrl("/login?error").defaultSuccessUrl("/user/home").loginPage("/login").permitAll()
            .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login")
            .permitAll().and().exceptionHandling().accessDeniedPage("/403").and().csrf().and().rememberMe()
            .key(applicationSecret).tokenValiditySeconds(31536000);

}
}

and my controller is

public interface OrganizationApi {

@PreAuthorize("hasAuthority('ROLE_USER')")
@RequestMapping(value="/user/organization/edit/{id}", method = RequestMethod.GET)
String update(@PathVariable Long id, Model model) throws Exception;

@PreAuthorize("@userServiceImpl.canAccessUser(principal, #id)")
@RequestMapping(value="/user/myorganizations", method = RequestMethod.GET)
String getAllOrganizationByUserId(Model model);
}


@Controller
public class OrganizationApiImpl extends RequestMappings implements       OrganizationApi {
private final Logger log = LoggerFactory.getLogger(this.getClass());
@Autowired
OrgService orgService;

@Autowired
UserService userService;

@Override
public String getAllOrganizationByUserId(Model model) {
    model.addAttribute("organizations",
            orgService.listAllOrganizationByUserId(userService.getLoggedInUser().getId()));
    return "organizations";
}

@Override
public String update(@PathVariable Long id, Model model) throws Exception {
    if (userService.getLoggedInUser().getId() != orgService.getOrgById(id).getUserId()) {
        model.addAttribute("error","You are not authorised to edit this recored.");
        return "error";
    }
    model.addAttribute("organization", orgService.getOrgById(id));
    return "addorganization";
}
}

In this when I comment @PreAuthorize my application works fine but when @PreAuthorize enabled application does not work and redirected to error page.

Is there anything that i missed in configuration?

I got error on browser console 404 /user/myorganizations not found.

Answer 1

Your interface is missing the @Controller annotation, which is why you're getting a 404 error when trying to access the endpoint.

It never got mapped.

Spring will actually output all mappings on startup, so you should check the logs first, when you encounter an unexpected 404 error like that.