[英]Spring Security role based authentication - 403 Forbidden although user has ROLE_ADMIN
我希望只有具有“管理员”角色的用户才能获得“欢迎管理员!” 信息:
@GetMapping("/admin")
public String admin() {
return "Welcome Admin!";
}
所以我将.antMatchers("/admin").access("hasRole('ADMIN')")到我的 SecurityConfig 中:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomUserDetailsService userDetailsService;
@Autowired
private JwtFilter jwtFilter;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
@Bean
public PasswordEncoder passwordEncoder() {
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}
@Bean(name = BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors();
http.csrf().disable().authorizeRequests()
.antMatchers("/authenticate", "/users/register","/products").permitAll()
.antMatchers("/admin").access("hasRole('ADMIN')") // HERE IT SHOULD CHECK FOR THE ADMIN ROLE
.anyRequest().authenticated().and().exceptionHandling()
.and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);;
}
}
我用来访问的用户也具有 Admin 角色:
但我总是得到 403 Forbidden 作为回应:
我没有将.antMatchers("/admin").access("hasRole('ADMIN')")到我的 SecurityConfig 中,而是尝试使用注释来限制访问:
@PreAuthorize("hasRole('ROLE_ADMIN')")
//or @Secured({"ROLE_ADMIN"})
@GetMapping("/admin")
public String admin() {
return "Welcome Admin!";
}
但是我可以与任何用户一起访问它,即使他们没有管理员角色(响应状态 = 200)。 我在这里做错了什么?
附加信息:
我的用户详细信息服务:
@Service
public class CustomUserDetailsService implements UserDetailsService {
@Autowired
private UserRepository userRepository;
@Autowired
private RoleRepository roleRepository;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = null;
try {
user = userRepository.findByName(username);
} catch(Exception e){
String message = e.getMessage();
System.out.println(message);
}
if (user == null) {
return new org.springframework.security.core.userdetails.User(
" ", " ", true, true, true, true,
getAuthorities(Arrays.asList(
roleRepository.findByName("ROLE_USER"))));
}
return new org.springframework.security.core.userdetails.User(user.getName(), user.getPassword(), user.isEnabled(), true, true, true, getAuthorities(user.getRoles()));
}
private Collection<? extends GrantedAuthority> getAuthorities(
Collection<Role> roles) {
return getGrantedAuthorities(getPrivileges(roles));
}
private List<String> getPrivileges(Collection<Role> roles) {
List<String> privileges = new ArrayList<>();
List<Privilege> collection = new ArrayList<>();
for (Role role : roles) {
collection.addAll(role.getPrivileges());
}
for (Privilege item : collection) {
privileges.add(item.getName());
}
return privileges;
}
private List<GrantedAuthority> getGrantedAuthorities(List<String> privileges) {
List<GrantedAuthority> authorities = new ArrayList<>();
for (String privilege : privileges) {
authorities.add(new SimpleGrantedAuthority(privilege));
}
return authorities;
}
public UserDetails loadUserByEmail(String email) throws UsernameNotFoundException {
User user = userRepository.findByEmail(email);
return new org.springframework.security.core.userdetails.User(user.getName(), user.getPassword(), new ArrayList<>());
}
}
我的jwtFilter.java :
@Component
public class JwtFilter extends OncePerRequestFilter {
@Autowired
private JwtUtil jwtUtil;
@Autowired
private CustomUserDetailsService service;
@Override
protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
System.out.println("header:" + httpServletRequest.getHeader("Authorization"));
//get Authorization information from the request itself
String authorizationHeader = httpServletRequest.getHeader("Authorization");
String token = null;
String userName = null;
//check for its type, it must be Bearer + jwt
if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
//get the token itself
token = authorizationHeader.substring(7);
//decrypt username
userName = jwtUtil.extractUsername(token);
}
if (userName != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = service.loadUserByUsername(userName);
if (jwtUtil.validateToken(token, userDetails)) {
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken =
new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()); // HERE IS THE getAuthorities function
usernamePasswordAuthenticationToken
.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpServletRequest));
SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
}
}
filterChain.doFilter(httpServletRequest, httpServletResponse);
}
}
我正在一个额外的类中创建角色“管理员”和“用户”,并为它们分配privileges ,如本教程所示。 但实际上我从不需要这些权限,没有它们我就无法完成,所以我把它们留在了。因为没有这些权限,我不知道如何将 GrantedAuthorities 放入 userDetails 所需的userDetails.getAuthorities()我的jwtFilter类中的userDetails.getAuthorities()函数...:
@Component
public class SetupDataLoader implements
ApplicationListener<ContextRefreshedEvent> {
boolean alreadySetup = false;
@Autowired
private UserRepository userRepository;
@Autowired
private UserService userService;
@Autowired
private RoleRepository roleRepository;
@Autowired
private PrivilegeRepository privilegeRepository;
@Autowired
private PasswordEncoder passwordEncoder;
@Override
@Transactional
public void onApplicationEvent(ContextRefreshedEvent event) {
if (alreadySetup)
return;
Privilege readPrivilege
= createPrivilegeIfNotFound("READ_PRIVILEGE");
Privilege writePrivilege
= createPrivilegeIfNotFound("WRITE_PRIVILEGE");
List<Privilege> adminPrivileges = Arrays.asList(
readPrivilege, writePrivilege);
createRoleIfNotFound("ROLE_ADMIN", adminPrivileges);
createRoleIfNotFound("ROLE_USER", Arrays.asList(readPrivilege));
Role adminRole = roleRepository.findByName("ROLE_ADMIN");
Role userRole = roleRepository.findByName("ROLE_USER");
User harald = new User();
harald.setName("Harald");
harald.setPassword(passwordEncoder.encode("test"));
harald.setEmail("test@test.com");
harald.setRoles(Arrays.asList(adminRole));
harald.setEnabled(true);
userRepository.save(harald);
User hartmut = new User();
hartmut.setName("Hartmut");
hartmut.setPassword(passwordEncoder.encode("test"));
hartmut.setEmail("test@test.com");
hartmut.setRoles(Arrays.asList(adminRole));
hartmut.setEnabled(true);
userRepository.save(hartmut);
}
alreadySetup = true;
}
@Transactional
Privilege createPrivilegeIfNotFound(String name) {
Privilege privilege = privilegeRepository.findByName(name);
if (privilege == null) {
privilege = new Privilege(name);
privilegeRepository.save(privilege);
}
return privilege;
}
@Transactional
Role createRoleIfNotFound(
String name, Collection<Privilege> privileges) {
Role role = roleRepository.findByName(name);
if (role == null) {
role = new Role(name);
role.setPrivileges(privileges);
roleRepository.save(role);
}
return role;
}
}
我的Role.java :
@Entity
@Table(name="roles")
@Data
@NoArgsConstructor
public class Role {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
private Long id;
private String name;
@ManyToMany(fetch = FetchType.EAGER)
@JoinTable(
name = "roles_privileges",
joinColumns = @JoinColumn(
name = "role_id", referencedColumnName = "id"),
inverseJoinColumns = @JoinColumn(
name = "privilege_id", referencedColumnName = "id"))
private Collection<Privilege> privileges;
public Role(String name) {
this.name = name;
}
@Override
public String toString() {
return "Role{" +
"id=" + id +
", name='" + name + '\'' +
'}';
}
}
和我的privilege.java :
@Entity
@Table(name="privileges")
@Data
@NoArgsConstructor
public class Privilege {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
private Long id;
private String name;
public Privilege(String name) {
this.name = name;
}
@Override
public String toString() {
return "Privilege{" +
"id=" + id +
", name='" + name + '\'' +
'}';
}
}
使用@EnableGlobalMethodSecurity(prePostEnabled = true)注释public class SecurityConfig extends WebSecurityConfigurerAdapter
和,
@PreAuthorize("hasAuthority('ROLE_ADMIN')")
@GetMapping("/admin")
public String admin() {
return "Welcome Admin!";
}
1/ 您需要通过添加以下行来启用安全配置中的安全注释: @EnableGlobalMethodSecurity(prePostEnabled = true,securedEnabled = true) prePostEnabled 让您使用@PreAuthorize、@PostAuthorize 等和securedEnabled 以使用@Secured
2/ 为了说明只有具有 admin 角色的用户才能访问“/admin”,您需要添加这样的注释:`
@PreAuthorize("hasRole('ADMIN')")
// or @Secured({"ROLE_ADMIN"})
// or @PreAuthorize("hasAuthority('ROLE_ADMIN')")
@GetMapping("/admin")
public String admin() {
return "Welcome Admin!";
}
.antMatchers("/admin").access("hasRole('ADMIN')")应该工作,而不是使用注释。
3/ 在使用包含权限“ROLE_ADMIN”的权限列表登录时,您需要确保您的方法 loadByUsername 返回用户 admin。
我能够通过添加ROLE_来解决这个问题
List<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority("ROLE_" + ADMIN));
Spring Security,访问权限=“ ROLE_ADMIN”与访问权限=“ hasAnyRole('ROLE_ADMIN')
[英]Spring Security , access=“ROLE_ADMIN” Vs access="hasAnyRole('ROLE_ADMIN')
Spring Security不能与“hasRole('ROLE_ADMIN')”或ROLE_ADMIN一起使用
[英]Spring Security does not work with “hasRole('ROLE_ADMIN')” or ROLE_ADMIN
如何在spring security taglib中不提及hasRole('ROLE_ADMIN')
[英]How to mention not of hasRole('ROLE_ADMIN') in spring security taglib
如何使用Spring Security在Spring xml中为一个特殊的URL一起定义ROLE_USER,ROLE_ADMIN IN?
[英]How to defined ROLE_USER,ROLE_ADMIN IN together for one spefic url in spring xml using spring security?
Java Spring Security AccessDecisionManager:UnanimousBased无法解析表达式'ROLE_ADMIN,IS_AUTHENTICATED_FULLY'
[英]Java Spring Security AccessDecisionManager: UnanimousBased Failed to parse expression 'ROLE_ADMIN, IS_AUTHENTICATED_FULLY'
Java Spring Security-基于应用程序角色的Active Directory用户身份验证
[英]Java Spring Security - Application Role Based Active Directory User Authentication
sec:authorize="hasRole('ROLE_ADMIN')" 角度
[英]sec:authorize="hasRole('ROLE_ADMIN')" in angular
@Secured({“ ROLE_USER”,“ ROLE_ADMIN”})的确切含义
[英]What does @Secured({ “ROLE_USER”, “ROLE_ADMIN” }) exactly means
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.