[英]Forbidden with Spring Security and @Secured
I have setup Spring Security as follows: 我已经按照以下步骤设置了Spring Security:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MongoUserDetailsService userServiceDetails;
@Autowired
private BCryptPasswordEncoder bCryptEncoder;
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/js/**", "/css/**", "/fonts/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.csrf().disable()
.formLogin()
.defaultSuccessUrl("/index", true)
.loginPage("/login")
.permitAll()
.and()
.httpBasic()
.and()
.logout()
.permitAll()
.deleteCookies("JSESSIONID")
.invalidateHttpSession(true);
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userServiceDetails)
.passwordEncoder(bCryptEncoder);
}
And on my controller I have the following: 在我的控制器上,我有以下内容:
@RequestMapping(method = RequestMethod.GET)
@Secured({"ADMIN"})
public List<Item> getItems(@RequestBody filter filter) {
if (filter.hasMissingField()) {
return new ArrayList<>();
}
return service.getItems(filter);
}
On logging in the user details object has the roles needed (In debug): 登录用户详细信息对象时,具有所需的角色(在调试中):
However, I am getting a 403 - Forbidden. 但是,我收到403-禁止。 I can't see why.
我不明白为什么。 If I remove the @Secured then I can access the page fine, but with @Secured({"ADMIN"}) it fails.
如果删除@Secured,则可以正常访问页面,但是使用@Secured({“ ADMIN”}),它将失败。
I have combed SO and I see errors in relation to @Secured not working at all , errors in relation to @Secured having no effects at the Controller level but not like my current scenario where it is failing to authorise with the needed role present. 我进行了梳理,我发现与@Secured有关的错误根本不起作用,与@Secured有关的错误在Controller级别上没有任何作用,但是不像我当前的情况(在该情况下,该角色无法授权所需的角色)。
If it helps I am using Spring Boot 1.3.2. 如果有帮助,我正在使用Spring Boot 1.3.2。
Any help will be appreciated. 任何帮助将不胜感激。 Thanks
谢谢
您必须将@Secured({"ROLE_ADMIN"})
加上ROLE_
前缀
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.