配置弹簧安全性后未经授权的呼叫
[英]Unauthorized calls after configuring spring security
问题描述
I want to secure my REST endpoints but I'm having troubles... it was just fine while I was using inMemoryAuth , but since I tried to use credentials stored in the database - it stopped working. 
我想保护我的REST端点,但是我遇到了麻烦...我在使用inMemoryAuth ,但是因为我试图使用存储在数据库中的凭据 - 它停止了工作。
Ok, so my Entity classes look like that 好的,所以我的Entity类看起来像那样
class User {
@Id
@GeneratedValue
@Column(name = "user_id")
private Integer id;
@Column
private String username;
@Column
private String password;
@ManyToMany
@JoinTable(name = "user_role", joinColumns = @JoinColumn(name = "user_id"), inverseJoinColumns = @JoinColumn(name = "role_id"))
private Set<Role> roles;
}
class Role {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
@Column(name = "role_id")
private Integer id;
@Column(name = "role")
private String role;
}
And my security config 我的安全配置
@Configuration
class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Value("${spring.queries.users-query}")
private String usersQuery;
@Value("${spring.queries.roles-query}")
private String rolesQuery;
private DataSource dataSource;
public SecurityConfiguration(DataSource dataSource) {
this.dataSource = dataSource;
}
@Bean
public BCryptPasswordEncoder passwordEncoder() {
BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
return bCryptPasswordEncoder;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication()
.usersByUsernameQuery(usersQuery)
.authoritiesByUsernameQuery(rolesQuery)
.dataSource(dataSource)
.passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/task/**").hasRole("USER")
.and()
.csrf().disable()
.formLogin().disable();
}
}
And finally, application.properties 最后, application.properties
spring.jpa.hibernate.ddl-auto=update
spring.datasource.url=jdbc:mysql://localhost:3306/teamplanner?useUnicode=true&useJDBCCompliantTimezoneShift=true&useLegacyDatetimeCode=false&serverTimezone=Europe/Warsaw
spring.datasource.username=root
spring.datasource.password=root
spring.queries.users-query=select username, password from user where username=?
spring.queries.roles-query=select u.username, r.role from user u inner join user_role ur on(u.user_id=ur.user_id) inner join role r on(ur.role_id=r.role_id) where u.username=?
Now, I'm trying to call /task/all with Basic auth in postman and I'm getting 现在,我正在尝试使用邮递员中的Basic auth调用/ task / all,我得到了
{
"timestamp": "2019-04-21T22:50:17.189+0000",
"status": 401,
"error": "Unauthorized",
"message": "Unauthorized",
"path": "/task/all"
}
Both queries I've stored in the application.properties return records if I run them directly in the database 如果我直接在数据库中运行它们,我存储在application.properties中的两个查询都会返回记录
1 个解决方案
解决方案1
0 2019-04-22 04:21:00
you should tell spring security that the user is enabled, see the source code in JdbcDaoImpl 你应该告诉spring安全性用户是否已启用,请参阅JdbcDaoImpl的源代码
so you should change the configuration spring.queries.users-query 所以你应该改变配置spring.queries.users-query
spring.queries.users-query=select username, password, 1 from user where username=?
if you can't still make it sense, change the value of role name from USER to ROLE_USER 如果仍然无法理解,请将角色名称的值从USER更改为ROLE_USER
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.