[英]Spring Boot Security -Basic Authentication
我使用 spring 引导安全来实现基本身份验证。 下面是我的代码。绕过了我的基于角色的授权,基本身份验证不起作用。没有凭据,我的服务也给出响应,没有抛出任何错误。当我传递错误的凭据时,它没有抛出任何错误。如何解决这个错误。任何人都可以建议吗?
package com.agcs.cids.security;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
// Authentication : User --> Roles
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.inMemoryAuthentication().withUser("user1").password("Secret1").roles("USER");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/id").hasAuthority("USER");
}
}
我的 Controller Class 有多个端点:
@RestController
@RequestMapping(value = "/claims", produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
public class Controller {
/**
* @param policyIdentifier
* @param lineOfBusiness
* @param broker
* @return
*/
@RequestMapping(value = "/search", method = RequestMethod.GET)
public Object getClaimsBySearchCriteria(@RequestParam(value = "id") String userId ) throws ParseException, JsonProcessingException, javax.xml.bind.ValidationException {
Query query = new Query();
// int queryLimit = 1000;
if (policyIdentifier != null && !policyIdentifier.isEmpty())
query.addCriteria(Criteria.where("Common.PolicyId").is(policyIdentifier));
List<Claims> claims = mongoOps.find(query, Claims.class);
LOG.info("Claims returned: " + claims.toString());
return claims;
}
@RequestMapping(value = "/", method = RequestMethod.GET)
public void getClaimsService() {
LOG.info("Claims service is available");
}
@RequestMapping(value = "/id/", method = RequestMethod.GET)
public String getClaims(@RequestParam(value = "userId") String userId,
@RequestParam(value = "id") String id) throws JsonProcessingException {
MongoDatabase database = this.mongoClient.getDatabase(this.database);
MongoCollection<Document> collection = database.getCollection(this.collection);
Document query = new Document("_id", new ObjectId(id));
FindIterable<Document> documentCursor = collection.find(query);
List<Document> claimsUpdatedList = null;
for (Document doc : documentCursor) {
claimsUpdatedList = new ArrayList<>();
if (null != doc.get("Common")) {
Document common = (Document) doc.get("Common");
if (null != common.get("EffectiveDate")) {
Date date = (Date) common.get("EffectiveDate");
common.put("EffectiveDate",convertDate(date));
}
if (null != common.get("ExpirationDate")) {
Date date = (Date) common.get("ExpirationDate");
common.put("ExpirationDate",convertDate(date));
}
doc.put("Common",common);
claimsUpdatedList.add(doc);
}
}
JsonWriterSettings writerSettings = JsonWriterSettings.builder().outputMode(JsonMode.SHELL).indent(true).build();
return claimsUpdatedList != null ? claimsUpdatedList.get(0).toJson(writerSettings) : null;
}
}
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.inMemoryAuthentication().withUser("user1").password("{noop}Secret1").roles("USER");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/claims/id/").hasRole("USER")
.and()
.httpBasic();
}
}
/claims/id/
,而不是/id/
USER
定义为角色名称,而不是权限名称,因此需要hasRole()
httpBasic()
到 basic-auth ( 10.10.2. Basic Authentication ){noop}
( 密码存储格式)你快到了。
使用.antMatchers("/id/**").hasRole("USER");
而不是.antMatchers("/id").hasAuthority("USER");
尝试这个
http.csrf().disable().authorizeRequests()
.antMatchers("/id/**").hasAnyRole("USER").and()
.authorizeRequests().antMatchers("/").permitAll();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.