[英]403 access denied Spring Security everytime
I am getting 403 on every request having pattern /admin I need to restrict /admin only for admin role. 我在每个有模式/管理员的请求上得到403我需要限制/管理员只有管理员角色。
Failed approach : 失败的方法:
@PreAuthorize(hasRole('ADMIN'))
and @PreAuthorize(hasRole('ROLE_ADMIN'))
on controller but no luck. 在控制器上使用@PreAuthorize(hasRole('ADMIN'))
和@PreAuthorize(hasRole('ROLE_ADMIN'))
但没有运气。 @PreAuthorize
from controller and adding pattern in the below class with hasRole but no luck 尝试从控制器中删除@PreAuthorize
并使用hasRole在下面的类中添加模式但没有运气 Below is the class extends WebSecurityConfigurerAdapter
下面是类扩展WebSecurityConfigurerAdapter
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
AuthenticationEntryPoint authenticationEntryPoint;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS).permitAll()
.antMatchers(HttpMethod.GET,"/admin/**").hasAnyRole("ADMIN","ADMIN_TENANT")
.anyRequest().authenticated()
.and()
.logout()
.permitAll()
.and()
.csrf()
.disable();
httpSecurity.
addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
httpSecurity.
headers().cacheControl().disable();
}
Already tried solutions mentioned in similar question but no luck. 已经尝试过类似问题中提到的解决方案,但没有运气。 So please don't mark it duplicate. 所以请不要将其标记为重复。
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
AuthenticationEntryPoint authenticationEntryPoint;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS).permitAll()
.antMatchers(HttpMethod.GET,"/admin/**").hasAnyRole("ADMIN","ADMIN_TENANT") // change hasAnyrole to hasAnyAuthority
.anyRequest().authenticated()
.and()
.logout()
.permitAll()
.and()
.csrf()
.disable();
httpSecurity.
addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
httpSecurity.
headers().cacheControl().disable();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.