堆栈内存溢出
  简体   繁体   English

Spring Security和@Secured禁止使用

[英]Forbidden with Spring Security and @Secured

 原文  2016-02-14 06:54:52       java/ spring/ spring-security/ spring-boot

问题描述

I have setup Spring Security as follows: 我已经按照以下步骤设置了Spring Security: 

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private MongoUserDetailsService userServiceDetails;

@Autowired
private BCryptPasswordEncoder bCryptEncoder;

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/js/**", "/css/**", "/fonts/**");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
                .anyRequest().authenticated()
                .and()
            .csrf().disable()
            .formLogin()
                .defaultSuccessUrl("/index", true)
                .loginPage("/login")
                .permitAll()
                .and()
            .httpBasic()
            .and()
            .logout()
                .permitAll()
                .deleteCookies("JSESSIONID")
                .invalidateHttpSession(true);
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth
       .userDetailsService(userServiceDetails)
       .passwordEncoder(bCryptEncoder);
}

And on my controller I have the following: 在我的控制器上,我有以下内容: 

@RequestMapping(method = RequestMethod.GET)
@Secured({"ADMIN"})
public List<Item> getItems(@RequestBody filter filter) {

    if (filter.hasMissingField()) {
        return new ArrayList<>();
    }

    return service.getItems(filter);
}

On logging in the user details object has the roles needed (In debug): 登录用户详细信息对象时,具有所需的角色(在调试中):

在此处输入图片说明

However, I am getting a 403 - Forbidden. 但是,我收到403-禁止。 I can't see why. 我不明白为什么。 If I remove the @Secured then I can access the page fine, but with @Secured({"ADMIN"}) it fails. 如果删除@Secured,则可以正常访问页面,但是使用@Secured({“ ADMIN”}),它将失败。

I have combed SO and I see errors in relation to @Secured not working at all , errors in relation to @Secured having no effects at the Controller level but not like my current scenario where it is failing to authorise with the needed role present. 我进行了梳理,我发现与@Secured有关的错误根本不起作用,@Secured有关的错误在Controller级别上没有任何作用,但是不像我当前的情况(在该情况下,该角色无法授权所需的角色)。

If it helps I am using Spring Boot 1.3.2. 如果有帮助,我正在使用Spring Boot 1.3.2。

Any help will be appreciated. 任何帮助将不胜感激。 Thanks 谢谢

1 个解决方案

解决方案1
 7 已采纳  2016-02-14 21:47:27

您必须将@Secured({"ROLE_ADMIN"})加上ROLE_前缀

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Security,安全访问和非安全访问 - Spring Security, secured and none secured access Spring Security,注释@Secured 不起作用 - Spring Security, annotation @Secured is not working 由 spring 安全保护的测试方法 - Test method secured by spring security 403 禁止 - Spring 安全 - 403 forbidden - Spring Security Spring Data Rest + Spring Security:@Secured无法正常工作 - Spring Data Rest + Spring Security: @Secured not working Ldap 访问被禁止 spring 安全 - Ldap access forbidden spring security 春季安全angularjs禁止403 - spring security angularjs forbidden 403 Spring Security-@Secured仅在mvc控制器中有效 - Spring Security - @Secured works only in mvc Controller Spring MVC +安全性。 @Secured + @RequestMapping - Spring MVC + Security. @Secured + @RequestMapping Spring Security @Secured和HttpSession配置顺序 - spring security @Secured and HttpSession config ordering
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM