我在我的应用程序中添加了Spring Security。我想保护任何终端,并为所有用户配置打开“/USERS”:
@Entity
@Table(name = "users")
@AllArgsConstructor
@NoArgsConstructor
public class UserEntity implements UserDetails {
@Id
private String id;
private String login;
private String password;
private String role;
public UserEntity(UserCreateRequestModel userCreateRequestModel) {
this.id = UUID.randomUUID().toString();
this.login = userCreateRequestModel.getLogin();
this.password = PasswordService.codePassword(userCreateRequestModel.getPassword());
this.role = "USER";
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
List<SimpleGrantedAuthority> list = new ArrayList<>();
list.add(new SimpleGrantedAuthority(role));
return new ArrayList<SimpleGrantedAuthority>();
}
@Override
public String getUsername() {
return login;
}
@Override
public String getPassword() {
return password;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
我的自定义WebSecurityConfigurerAdapter:
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter {
private final MyUserDetailsService myUserDetailsService;
@Override
public void configure(HttpSecurity http) throws Exception {
http
.cors().and().csrf().disable()
.authorizeRequests()
.antMatchers("/users", "/users/**").permitAll()
.anyRequest().hasAuthority("USER")
;
}
@Override
protected UserDetailsService userDetailsService() {
return myUserDetailsService;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(myUserDetailsService);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
接下来,我添加了定制的UserDetailsService
@Service
@RequiredArgsConstructor
public class MyUserDetailsService implements UserDetailsService {
private final UserEntityRepository userEntityRepository;
@Override
public UserDetails loadUserByUsername(String login) throws UsernameNotFoundException {
System.out.println(userEntityRepository.findByLogin(login));
return userEntityRepository.findByLogin(login).orElseThrow((() -> new ObjectNotFoundException(login)));
}
现在我有麻烦了。“/USERS”的终结点对所有人开放,我可以发送有任何问题的请求。但是,例如,当我尝试在端点“/Shares”上执行任何@Postmap时,我都会收到403状态响应。在 Postman 中,我认为一切都很好:
当然,用户存在于数据库中。在UserEntity中,User is Enabled、isAccount tNonExpired、isAccount tNonLocked和isCredentialsNonExpired-一切都为真。
1条答案
按热度按时间ev7lccsx1#
在
UserEntity
类的getAuthorities()
方法中,您将返回一个空List
,因此Spring-Security没有看到经过身份验证的用户的权限(角色)。按如下方式更改此方法: