![](/img/trans.png)
[英]Proper way to determine required authority in spring security access denied handler
[英]Access denied for user with authority in Spring Cloud Security
我正在使用 spring 雲 oauth-2 和 spring 雲安全構建用戶身份驗證系統。 我希望有許多可以分配給用戶組的權限。 權限存儲為枚舉常量,如下所示:
public enum Authority {
READ_USER(1, "View users and their details", "READ_USER"),
WRITE_USER(2, "Create, Edit and Delete users and their details", "WRITE_USER"),
// More authorities will be added
;
Authority(int id, String description, String name) {
this.id = id;
this.description = description;
this.name = name;
}
private final int id;
private final String description;
private final String name;
public int getId() {
return id;
}
public String getDescription() {
return description;
}
public String getName() {
return name;
}
}
我已將身份驗證服務器設置為向內存中的客戶端發出 JWT 令牌。 一切正常(我認為)。
下面是我的 UserDetails 實現
public class AuthPrincipal implements UserDetails {
private String email;
private String password;
private Collection<? extends GrantedAuthority> authoritySet;
public AuthPrincipal(User user) {
this.email = user.getEmail();
this.password = user.getPassword();
this.authoritySet = user.getGroup().getAuthorities().stream().map(authority -> new SimpleGrantedAuthority(authority.getName())).collect(Collectors.toList());
}
// Necessary getters
}
就像我說的,身份驗證服務器正在發布令牌。 我面臨的問題是授權。 下面是我的資源服務器 http 配置:
@Configuration
@EnableWebSecurity()
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception{
http
.authorizeRequests()
.antMatchers("/").permitAll()
// Users paths
.antMatchers(HttpMethod.GET, "/users/**").hasAuthority(Authority.READ_USER.getName())
.antMatchers(HttpMethod.POST, "/users/**").hasAuthority(Authority.WRITE_USER.getName())
.antMatchers(HttpMethod.PUT, "/users/**").hasAuthority(Authority.WRITE_USER.getName())
.antMatchers(HttpMethod.DELETE, "/users/**").hasAuthority(Authority.WRITE_USER.getName())
.anyRequest().authenticated();
}
}
成功驗證后,對於具有所需權限的用戶,我收到 403 access denied 錯誤,如下面的安全調試日志所示:
2021-11-29 14:34:42.567 DEBUG 9832 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Securing GET /users
2021-11-29 14:34:42.567 DEBUG 9832 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2021-11-29 14:34:42.591 DEBUG 9832 --- [nio-8080-exec-3] p.a.OAuth2AuthenticationProcessingFilter : Authentication success: OAuth2Authentication [Principal=superuser@email.com, Credentials=[PROTECTED], Authenticated=true, Details=remoteAddress=0:0:0:0:0:0:0:1, tokenType=BearertokenValue=<TOKEN>, Granted Authorities=[{authority=READ_USER}, {authority=WRITE_USER}]]
2021-11-29 14:34:42.595 DEBUG 9832 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Failed to authorize filter invocation [GET /users] with attributes [#oauth2.throwOnError(hasAuthority('READ_USER'))]
2021-11-29 14:34:42.604 DEBUG 9832 --- [nio-8080-exec-3] s.s.o.p.e.DefaultOAuth2ExceptionRenderer : Written [error="access_denied", error_description="Access is denied"] as "application/json" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@4cd51cd5]
2021-11-29 14:34:42.604 DEBUG 9832 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
從日志中可以看出,用戶擁有“READ_USERS”的權限,但 GET 請求仍然被拒絕。 我錯過了什么?
檢查這兩點:-
確保user.getGroup()
包含READ_USER
權限
在實現UserDetails
的AuthPrincipal
中, authoritySet
您在 -
@Override public Collection<? extends GrantedAuthority> getAuthorities() { return this.authoritySet; }
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.