配置彈簧安全性后未經授權的呼叫

Question

我想保護我的REST端點，但是我遇到了麻煩...我在使用inMemoryAuth ，但是因為我試圖使用存儲在數據庫中的憑據 - 它停止了工作。

好的，所以我的Entity類看起來像那樣

class User {
    @Id
    @GeneratedValue
    @Column(name = "user_id")
    private Integer id;

    @Column
    private String username;

    @Column
    private String password;

    @ManyToMany
    @JoinTable(name = "user_role", joinColumns = @JoinColumn(name = "user_id"), inverseJoinColumns = @JoinColumn(name = "role_id"))
    private Set<Role> roles;
}

class Role {
    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    @Column(name = "role_id")
    private Integer id;

    @Column(name = "role")
    private String role;
}

我的安全配置

@Configuration
class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Value("${spring.queries.users-query}")
    private String usersQuery;

    @Value("${spring.queries.roles-query}")
    private String rolesQuery;

    private DataSource dataSource;

    public SecurityConfiguration(DataSource dataSource) {
        this.dataSource = dataSource;
    }

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
        return bCryptPasswordEncoder;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication()
            .usersByUsernameQuery(usersQuery)
            .authoritiesByUsernameQuery(rolesQuery)
            .dataSource(dataSource)
            .passwordEncoder(passwordEncoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.httpBasic()
            .and()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "/task/**").hasRole("USER")
            .and()
            .csrf().disable()
            .formLogin().disable();
    }
}

最后， application.properties

spring.jpa.hibernate.ddl-auto=update
spring.datasource.url=jdbc:mysql://localhost:3306/teamplanner?useUnicode=true&useJDBCCompliantTimezoneShift=true&useLegacyDatetimeCode=false&serverTimezone=Europe/Warsaw
spring.datasource.username=root
spring.datasource.password=root

spring.queries.users-query=select username, password from user where username=?
spring.queries.roles-query=select u.username, r.role from user u inner join user_role ur on(u.user_id=ur.user_id) inner join role r on(ur.role_id=r.role_id) where u.username=?

現在，我正在嘗試使用郵遞員中的Basic auth調用/ task / all，我得到了

{
    "timestamp": "2019-04-21T22:50:17.189+0000",
    "status": 401,
    "error": "Unauthorized",
    "message": "Unauthorized",
    "path": "/task/all"
}

如果我直接在數據庫中運行它們，我存儲在application.properties中的兩個查詢都會返回記錄

Answer 1

你應該告訴spring安全性用戶是否已啟用，請參閱JdbcDaoImpl的源代碼

所以你應該改變配置spring.queries.users-query

spring.queries.users-query=select username, password, 1 from user where username=?

如果仍然無法理解，請將角色名稱的值從USER更改為ROLE_USER