Spring 启动安全 JDBC 基本认证失败

Question

我正在使用 Spring 启动安全应用程序中的 PostgreSQL 数据库设置 JDBC 身份验证。

我为用户和角色创建了下表，分别命名为“users”和“user_authorities”。

CREATE SEQUENCE users_id_seq
  INCREMENT 1
  START 1
  MINVALUE 1
  MAXVALUE 2147483647
  CACHE 1;

CREATE TABLE users (
  id       integer NOT NULL DEFAULT nextval('users_id_seq'),
  username VARCHAR ( 100 ) UNIQUE NOT NULL,
  password VARCHAR ( 100 ) NOT NULL,
  enabled  boolean NOT NULL,
  CONSTRAINT users_pkey PRIMARY KEY (id)
);

CREATE SEQUENCE user_authorities_id_seq
  INCREMENT 1
  START 1
  MINVALUE 1
  MAXVALUE 2147483647
  CACHE 1;

  CREATE TABLE user_authorities(
   id         integer NOT NULL DEFAULT nextval('user_authorities_id_seq'),
   user_id   integer NOT NULL,
   authority varchar(100) not null,
   CONSTRAINT user_authorities_pkey PRIMARY KEY (id)
  );

然后插入数据如下：

-- create user: 'user'
INSERT INTO users(username,password,enabled) 
VALUES('user','$2a$10$TfjwK4p4y2xn5f6RN78gwOz0Le.cMGuhNaz51WDjChGCDF9Z0yqci',true);

-- create user: 'admin'
INSERT INTO users(username,password,enabled) 
VALUES('admin','$2a$10$lbZgb/zt4jBoPjqF.RfsOOOKyKJMOZjFS8QMyO.5p7Ob/jzf7ASPC',true);

-- create role: 'USER' for the user: 'user'
INSERT INTO users_authorities(user_id,authority) VALUES((select u.id from users u where u.username = 
'user'),'USER');

-- create role: 'ADMIN' for the user: 'admin'
INSERT INTO user_authorities(user_id,authority) VALUES((select u.id from users u where u.username = 
'admin'),'ADMIN');

Spring 启动应用程序端，我有安全配置：

package com.mi.rest.webservices.restfulwebservices.security;

import javax.sql.DataSource;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import 
 org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{

   @Autowired
   DataSource dataSource;

   @Autowired
   BCryptPasswordEncoder bCryptEncoder;

   private static final String GET_USERS_SQL = "SELECT username, password, enabled from users where       
   username = ?";

   private static final String GET_USER_AUTHORITIES_SQL = "SELECT u.username, a.authority FROM    
   user_authorities a, users u WHERE u.username = ? AND u.id = a.user_id";

/**
 * Specify authentication scheme:
 * 
 * 1. In memory
 * 2. JDBC
 * 3. LDAP
 * 
 */
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {

    /**
     auth.inMemoryAuthentication()  
   .withUser("user").password("$2a$10$TfjwK4p4y2xn5f6RN78gwOz0Le.cMGuhNaz51WDjChGCDF9Z0yqci")
   .roles("USER")
   .and()
   .withUser("admin")
   .password("$2a$10$lbZgb/zt4jBoPjqF.RfsOOOKyKJMOZjFS8QMyO.5p7Ob/jzf7ASPC")
   .roles("ADMIN");
    */
    
    auth
    .jdbcAuthentication()       
    .usersByUsernameQuery(GET_USERS_SQL)
    .authoritiesByUsernameQuery(GET_USER_AUTHORITIES_SQL)
    .dataSource(dataSource)
    .passwordEncoder(bCryptEncoder);
}

//Authorization:
@Override
protected void configure(HttpSecurity http) throws Exception {

    http
            //HTTP Basic authentication
            .httpBasic()
            .and()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "/todo-app/userOnly").hasRole("USER")
            .antMatchers(HttpMethod.GET, "/todo-app/todos/**").hasRole("USER")
            .antMatchers(HttpMethod.GET, "/todo-app/adminOnly").hasRole("ADMIN")
            .antMatchers(HttpMethod.OPTIONS,"/**").permitAll()
            //.and()
            //.csrf().disable()
            ;
   }

 }

现在为了测试我的设置，我有一个带有以下端点的 RestController：

  package com.mi.rest.webservices.restfulwebservices.controllers;

  import java.util.ArrayList;
  import java.util.Date;
  import java.util.List;

  import org.springframework.beans.factory.annotation.Autowired;
  import org.springframework.jdbc.core.JdbcTemplate;
  import org.springframework.web.bind.annotation.CrossOrigin;
  import org.springframework.web.bind.annotation.GetMapping;
  import org.springframework.web.bind.annotation.PathVariable;
  import org.springframework.web.bind.annotation.PostMapping;
  import org.springframework.web.bind.annotation.RequestBody;
  import org.springframework.web.bind.annotation.RequestMapping;
  import org.springframework.web.bind.annotation.RestController;

  @RestController
  @RequestMapping("/todo-app")
  @CrossOrigin(origins = "http://localhost:4200")
  public class TodoController { 

      @GetMapping("/userOnly")
      public TodoItem getForUserOnly() {
       TodoItem todo9 = new TodoItem();
       todo9.setId(9);
       todo9.setDescription("USER role item");
       todo9.setDone(false);
       todo9.setTargetDate(new Date());
       todo9.setUser("user");
    
       return todo9;
   }

   @GetMapping("/adminOnly")
   public TodoItem getForAdminOnly() {
       TodoItem todo9 = new TodoItem();
       todo9.setId(9);
       todo9.setDescription("ADMIN role item");
       todo9.setDone(false);
       todo9.setTargetDate(new Date());
       todo9.setUser("admin");
    
       return todo9;
      }
  }

使用 Postman 进行测试，我不断收到 403 禁止所有测试（使用用户和管理员授权的端点）。

这张照片缺少什么？ 非常感谢任何提示和建议。

Answer 1

不要说我将“角色”附加到每个权限。 Spring 希望当局有一个前缀"ROLE...." 。

参考 - Spring 文档

编辑您的users_authorities表的插入

-- create role: 'USER' for the user: 'user'
INSERT INTO users_authorities(user_id,authority) VALUES((select u.id from users u where u.username = 
'user'),'ROLE_USER');

-- create role: 'ADMIN' for the user: 'admin'
INSERT INTO user_authorities(user_id,authority) VALUES((select u.id from users u where u.username = 
'admin'),'ROLE_ADMIN');