[英]Getting "Full authentication is required to access this resource" when using JWT grant
[英]Error: Full authentication is required to access this resource when using @PreAuthorize
我正在嘗試使用 Spring Boot、JWT with Roles 實現身份驗證
我有錯誤:
訪問此資源需要完整身份驗證
將POST請求發送到“http://localhost:8080/api/profile/edit_user_detail”(帶有授權標頭)時
下面是我的控制器
@Controller
@CrossOrigin(origins = "*",maxAge = 3600)
@RequestMapping("/api/profile")
public class UserAPI {
@Autowired
UserRepository userRepository;
@Autowired
private RoleRepository roleRepository;
@Autowired
QARepository qaRepository;
@Autowired
DiscussRepository discussRepository;
@Autowired
AnnouncementRepository announcementRepository;
@PostMapping(value = {"/edit_user_detail"})
@PreAuthorize("hasRole('ROLE_USER')")
public ResponseEntity<?> editInfo(@RequestBody Map map) throws ParseException {
String username = map.get("username").toString();
String display_name = map.get("display_name").toString();
User user = userRepository.findByUserName(username).get(0);
user.setuDigitalName(display_name);
userRepository.save(user);
return ResponseEntity.ok("Updated");
}
但是當我刪除該行時
@PreAuthorize("hasRole('ROLE_USER')")
然后我可以成功發布請求並成功編輯用戶(我已經檢查了數據庫)
這也是我的入口點(捕捉異常)
@Component
public class AuthEntryPointJwt implements AuthenticationEntryPoint {
private static final Logger log = LoggerFactory.getLogger(AuthEntryPointJwt.class);
@Override
public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
log.error("Authorized error: " + e.getMessage());
httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED,"Error: Unauthorized");
e.printStackTrace();
}
}
這是我的配置文件
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class ConfigAuthenticate extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsServices userDetailsServices;
@Autowired
private AuthEntryPointJwt unauthorizeHandler;
@Bean
public AuthTokenFilter authenticationJwtTokenFilter(){
return new AuthTokenFilter();
}
@Bean
@Override public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsServices).passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().exceptionHandling().authenticationEntryPoint(unauthorizeHandler)
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().authorizeRequests()
.antMatchers("/**").permitAll()
.anyRequest().authenticated();
http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
}
}
我認為WebSecurityConfigurerAdapter 中的配置有問題,我已嘗試
@PreAuthorize("hasRole('ROLE_USER')")
改為@PreAuthorize("hasRole('USER')")
但它仍然不起作用,任何人都有解決方案
嘗試刪除.antMatchers("/**").permitAll()
,並將這些行添加到您的:
應用程序.yml
logging:
level:
org.springframework.security: TRACE
或 application.properties
logging.level.org.springframework.security=TRACE
您可以像這樣看到有關您的用戶的信息:
AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
您可以依靠Granted Authorities
來確定用戶的角色
因為您在.antMatchers("/**").permitAll()
之前設置了.antMatchers("/**").permitAll()
.anyRequest().authenticated()
,所以我不確定您是否成功驗證了用戶。 如果沒有,那么AnonymousAuthenticationFilter
將為您創建一個匿名用戶。 如果您不添加@PreAuthorize("hasRole('USER')")
,基於.antMatchers("/**").permitAll()
的FilterSecurityInterceptor
將允許請求通過它並訪問控制器。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.