Spring SECURITY-403已禁用,不调用loadUserByUsername()

tkclm6bt  于 2022-10-23  发布在  Spring
关注(0)|答案(1)|浏览(307)

我在我的应用程序中添加了Spring Security。我想保护任何终端,并为所有用户配置打开“/USERS”:

@Entity
@Table(name = "users")
@AllArgsConstructor
@NoArgsConstructor
public class UserEntity implements UserDetails {
    @Id
    private String id;
    private String login;
    private String password;
    private String role;

    public UserEntity(UserCreateRequestModel userCreateRequestModel) {
        this.id = UUID.randomUUID().toString();
        this.login = userCreateRequestModel.getLogin();
        this.password = PasswordService.codePassword(userCreateRequestModel.getPassword());
        this.role = "USER";
    }

@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
    List<SimpleGrantedAuthority> list = new ArrayList<>();
    list.add(new SimpleGrantedAuthority(role));
    return new ArrayList<SimpleGrantedAuthority>();
}

@Override
public String getUsername() {
    return login;
}

@Override
public String getPassword() {
    return password;
}

@Override
public boolean isAccountNonExpired() {
    return true;
}

@Override
public boolean isAccountNonLocked() {
    return true;
}

@Override
public boolean isCredentialsNonExpired() {
    return true;
}

@Override
public boolean isEnabled() {
    return true;
}

我的自定义WebSecurityConfigurerAdapter:

@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter {
    private final MyUserDetailsService myUserDetailsService;

    @Override
    public void configure(HttpSecurity http) throws Exception {

    http
            .cors().and().csrf().disable()
            .authorizeRequests()
            .antMatchers("/users", "/users/**").permitAll()
            .anyRequest().hasAuthority("USER")
            ;
    }

    @Override
    protected UserDetailsService userDetailsService() {
        return myUserDetailsService;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(myUserDetailsService);
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

接下来,我添加了定制的UserDetailsService

@Service
@RequiredArgsConstructor
public class MyUserDetailsService implements UserDetailsService {
private final UserEntityRepository userEntityRepository;

@Override
public UserDetails loadUserByUsername(String login) throws UsernameNotFoundException {
    System.out.println(userEntityRepository.findByLogin(login));
    return userEntityRepository.findByLogin(login).orElseThrow((() -> new ObjectNotFoundException(login)));
}

现在我有麻烦了。“/USERS”的终结点对所有人开放,我可以发送有任何问题的请求。但是,例如,当我尝试在端点“/Shares”上执行任何@Postmap时,我都会收到403状态响应。在 Postman 中,我认为一切都很好:

当然,用户存在于数据库中。在UserEntity中,User is Enabled、isAccount tNonExpired、isAccount tNonLocked和isCredentialsNonExpired-一切都为真。

ev7lccsx

ev7lccsx1#

UserEntity类的getAuthorities()方法中,您将返回一个List,因此Spring-Security没有看到经过身份验证的用户的权限(角色)。
按如下方式更改此方法:

@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
    return Collections.singletonList(new SimpleGrantedAuthority(role));
}

相关问题