Spring SECURITY-403已禁用,不调用loadUserByUsername()

tkclm6bt  于 2022-10-23  发布在  Spring
关注(0)|答案(1)|浏览(364)

我在我的应用程序中添加了Spring Security。我想保护任何终端,并为所有用户配置打开“/USERS”:

  1. @Entity
  2. @Table(name = "users")
  3. @AllArgsConstructor
  4. @NoArgsConstructor
  5. public class UserEntity implements UserDetails {
  6. @Id
  7. private String id;
  8. private String login;
  9. private String password;
  10. private String role;
  11. public UserEntity(UserCreateRequestModel userCreateRequestModel) {
  12. this.id = UUID.randomUUID().toString();
  13. this.login = userCreateRequestModel.getLogin();
  14. this.password = PasswordService.codePassword(userCreateRequestModel.getPassword());
  15. this.role = "USER";
  16. }
  17. @Override
  18. public Collection<? extends GrantedAuthority> getAuthorities() {
  19. List<SimpleGrantedAuthority> list = new ArrayList<>();
  20. list.add(new SimpleGrantedAuthority(role));
  21. return new ArrayList<SimpleGrantedAuthority>();
  22. }
  23. @Override
  24. public String getUsername() {
  25. return login;
  26. }
  27. @Override
  28. public String getPassword() {
  29. return password;
  30. }
  31. @Override
  32. public boolean isAccountNonExpired() {
  33. return true;
  34. }
  35. @Override
  36. public boolean isAccountNonLocked() {
  37. return true;
  38. }
  39. @Override
  40. public boolean isCredentialsNonExpired() {
  41. return true;
  42. }
  43. @Override
  44. public boolean isEnabled() {
  45. return true;
  46. }

我的自定义WebSecurityConfigurerAdapter:

  1. @Configuration
  2. @EnableWebSecurity
  3. @RequiredArgsConstructor
  4. public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter {
  5. private final MyUserDetailsService myUserDetailsService;
  6. @Override
  7. public void configure(HttpSecurity http) throws Exception {
  8. http
  9. .cors().and().csrf().disable()
  10. .authorizeRequests()
  11. .antMatchers("/users", "/users/**").permitAll()
  12. .anyRequest().hasAuthority("USER")
  13. ;
  14. }
  15. @Override
  16. protected UserDetailsService userDetailsService() {
  17. return myUserDetailsService;
  18. }
  19. @Override
  20. protected void configure(AuthenticationManagerBuilder auth) throws Exception {
  21. auth.userDetailsService(myUserDetailsService);
  22. }
  23. @Bean
  24. public PasswordEncoder passwordEncoder() {
  25. return new BCryptPasswordEncoder();
  26. }
  27. }

接下来,我添加了定制的UserDetailsService

  1. @Service
  2. @RequiredArgsConstructor
  3. public class MyUserDetailsService implements UserDetailsService {
  4. private final UserEntityRepository userEntityRepository;
  5. @Override
  6. public UserDetails loadUserByUsername(String login) throws UsernameNotFoundException {
  7. System.out.println(userEntityRepository.findByLogin(login));
  8. return userEntityRepository.findByLogin(login).orElseThrow((() -> new ObjectNotFoundException(login)));
  9. }

现在我有麻烦了。“/USERS”的终结点对所有人开放,我可以发送有任何问题的请求。但是,例如,当我尝试在端点“/Shares”上执行任何@Postmap时,我都会收到403状态响应。在 Postman 中,我认为一切都很好:

当然,用户存在于数据库中。在UserEntity中,User is Enabled、isAccount tNonExpired、isAccount tNonLocked和isCredentialsNonExpired-一切都为真。

ev7lccsx

ev7lccsx1#

UserEntity类的getAuthorities()方法中,您将返回一个List,因此Spring-Security没有看到经过身份验证的用户的权限(角色)。
按如下方式更改此方法:

  1. @Override
  2. public Collection<? extends GrantedAuthority> getAuthorities() {
  3. return Collections.singletonList(new SimpleGrantedAuthority(role));
  4. }

相关问题