i use Spring Boot 1.2.1 with embedded Tomcat and Spring Boot Starter Security. Furthermore I use a RestController for some webservices and I want that only certain users with certain roles can access the webservices. But it does not work, the security does not use the RoleVoter to check the roles. With the following example the user "user" can access the webservices although he hasnt the right roles!
First my application configuration
@Configuration
@EnableJms
@ImportResource( "classpath:net/bull/javamelody/monitoring-spring.xml" )
@EnableAspectJAutoProxy
@ComponentScan
@PropertySource( "classpath:application.properties" )
@EnableAutoConfiguration
@EnableGlobalMethodSecurity( securedEnabled = true )
public class ItemConfiguration { ... }
Now my security configuration
@Configuration
@EnableWebSecurity
@Order( SecurityProperties.ACCESS_OVERRIDE_ORDER )
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure( AuthenticationManagerBuilder auth ) throws Exception {
auth.inMemoryAuthentication().withUser( "user" ).password( "password" ).roles( "USER" );
}
@Override
protected void configure( HttpSecurity http ) throws Exception {
http.authorizeRequests().anyRequest().fullyAuthenticated();
http.httpBasic();
http.csrf().disable();
}
}
The Restcontroller
@RestController
public class QueryController {
@Secured( { "ROLE_ADMIN" } )
@RequestMapping( value = "/", method = { POST }, consumes = { MediaType.APPLICATION_JSON_VALUE },
produces = MediaType.APPLICATION_JSON_VALUE )
ResponseEntity< List< BaseEntity > > query( @RequestBody @Valid final ItemQueryRequestData request )
throws Exception {
return new ResponseEntity<>( "", HttpStatus.OK );
}
}
application.properties
spring.data.mongodb.database = item
spring.data.mongodb.host = ${MONGODB_URI:pimpoc01}
spring.data.mongodb.port = ${MONGODB_PORT:27017}
spring.activemq.broker-url=${BROKER_URL:tcp://pimpoc01:61616}
spring.activemq.user=
spring.activemq.password=
spring.activemq.pooled=true
queue.item.in.channelId = item-in
queue.item.in.concurrentConsumers = 1
queue.item.in.destination = item-in
queue.itemOption.in.channelId = itemOption-in
queue.itemOption.in.concurrentConsumers = 1
queue.itemOption.in.destination = itemOption-in
queue.style.in.channelId = style-in
queue.style.in.concurrentConsumers = 1
queue.style.in.destination = style-in
queue.concurrentConsumers = 50
queue.dataCreation.response = dataCreationResponse
queue.structureAttributeValue.in.channelId = structureAttributeValue-in
queue.structureAttributeValue.in.concurrentConsumers = 1
queue.structureAttributeValue.in.destination = structureAttributeValue-in
validation.endpoint = ${VALIDATOR_URI:http://pimpoc01:8080/validator}
Thanks for any help!
Remove the below line from security configuration. I think @Order
annotation is overriding the basic authentication.
@Order( SecurityProperties.ACCESS_OVERRIDE_ORDER )
我遇到了类似的问题,并通过将我的控制器方法QueryController.query
公共,即使QueryController.query
方法为public
。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.