403访问每次都拒绝Spring Security

Question

I am getting 403 on every request having pattern /admin I need to restrict /admin only for admin role. 我在每个有模式/管理员的请求上得到403我需要限制/管理员只有管理员角色。

Failed approach : 失败的方法：

Tried using @PreAuthorize(hasRole('ADMIN')) and @PreAuthorize(hasRole('ROLE_ADMIN')) on controller but no luck. 在控制器上使用@PreAuthorize(hasRole('ADMIN'))和@PreAuthorize(hasRole('ROLE_ADMIN'))但没有运气。
Tried removing @PreAuthorize from controller and adding pattern in the below class with hasRole but no luck 尝试从控制器中删除@PreAuthorize并使用hasRole在下面的类中添加模式但没有运气

Below is the class extends WebSecurityConfigurerAdapter 下面是类扩展WebSecurityConfigurerAdapter

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    AuthenticationEntryPoint authenticationEntryPoint;

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
            .exceptionHandling()
                .authenticationEntryPoint(authenticationEntryPoint)
                .and()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
            .authorizeRequests()

                .antMatchers(HttpMethod.OPTIONS).permitAll()
              .antMatchers(HttpMethod.GET,"/admin/**").hasAnyRole("ADMIN","ADMIN_TENANT")
                .anyRequest().authenticated()
                .and()
            .logout()
                .permitAll()
                .and()
            .csrf()
                .disable();
        httpSecurity.
            addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);

        httpSecurity.
            headers().cacheControl().disable();
    }

Already tried solutions mentioned in similar question but no luck. 已经尝试过类似问题中提到的解决方案，但没有运气。 So please don't mark it duplicate. 所以请不要将其标记为重复。

Answer 1

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    AuthenticationEntryPoint authenticationEntryPoint;

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
            .exceptionHandling()
                .authenticationEntryPoint(authenticationEntryPoint)
                .and()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
            .authorizeRequests()

                .antMatchers(HttpMethod.OPTIONS).permitAll()
              .antMatchers(HttpMethod.GET,"/admin/**").hasAnyRole("ADMIN","ADMIN_TENANT") // change hasAnyrole to hasAnyAuthority
                .anyRequest().authenticated()
                .and()
            .logout()
                .permitAll()
                .and()
            .csrf()
                .disable();
        httpSecurity.
            addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);

        httpSecurity.
            headers().cacheControl().disable();
    }

Answer 2

My similar Git Project : here 我类似的Git项目 ：这里

    // Config to check if already active
    http.authorizeRequests()
    .and() 
    .rememberMe()
    .tokenRepository(new JdbcTokenRepositoryImpl().setDataSource(//datasource_name) )
     .tokenValiditySeconds(//TimeInterval in sec); 

}

403访问每次都拒绝Spring Security

问题描述

2 个解决方案

解决方案1
0 2019-04-02 09:51:29

解决方案2
0 2019-04-02 09:56:12

403访问每次都拒绝Spring Security

问题描述

2 个解决方案

解决方案1 0 2019-04-02 09:51:29

解决方案2 0 2019-04-02 09:56:12

解决方案1
0 2019-04-02 09:51:29

解决方案2
0 2019-04-02 09:56:12