Spring SECURITY-403已禁用，不调用loadUserByUsername()

tkclm6bt 于 2022-10-23 发布在 Spring

关注(0)|答案(1)|浏览(307)

我在我的应用程序中添加了Spring Security。我想保护任何终端，并为所有用户配置打开“/USERS”：

@Entity
@Table(name = "users")
@AllArgsConstructor
@NoArgsConstructor
public class UserEntity implements UserDetails {
    @Id
    private String id;
    private String login;
    private String password;
    private String role;

    public UserEntity(UserCreateRequestModel userCreateRequestModel) {
        this.id = UUID.randomUUID().toString();
        this.login = userCreateRequestModel.getLogin();
        this.password = PasswordService.codePassword(userCreateRequestModel.getPassword());
        this.role = "USER";
    }

@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
    List<SimpleGrantedAuthority> list = new ArrayList<>();
    list.add(new SimpleGrantedAuthority(role));
    return new ArrayList<SimpleGrantedAuthority>();
}

@Override
public String getUsername() {
    return login;
}

@Override
public String getPassword() {
    return password;
}

@Override
public boolean isAccountNonExpired() {
    return true;
}

@Override
public boolean isAccountNonLocked() {
    return true;
}

@Override
public boolean isCredentialsNonExpired() {
    return true;
}

@Override
public boolean isEnabled() {
    return true;
}

我的自定义WebSecurityConfigurerAdapter：

@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter {
    private final MyUserDetailsService myUserDetailsService;

    @Override
    public void configure(HttpSecurity http) throws Exception {

    http
            .cors().and().csrf().disable()
            .authorizeRequests()
            .antMatchers("/users", "/users/**").permitAll()
            .anyRequest().hasAuthority("USER")
            ;
    }

    @Override
    protected UserDetailsService userDetailsService() {
        return myUserDetailsService;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(myUserDetailsService);
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

接下来，我添加了定制的UserDetailsService

@Service
@RequiredArgsConstructor
public class MyUserDetailsService implements UserDetailsService {
private final UserEntityRepository userEntityRepository;

@Override
public UserDetails loadUserByUsername(String login) throws UsernameNotFoundException {
    System.out.println(userEntityRepository.findByLogin(login));
    return userEntityRepository.findByLogin(login).orElseThrow((() -> new ObjectNotFoundException(login)));
}

现在我有麻烦了。“/USERS”的终结点对所有人开放，我可以发送有任何问题的请求。但是，例如，当我尝试在端点“/Shares”上执行任何@Postmap时，我都会收到403状态响应。在 Postman 中，我认为一切都很好：

当然，用户存在于数据库中。在UserEntity中，User is Enabled、isAccount tNonExpired、isAccount tNonLocked和isCredentialsNonExpired-一切都为真。

spring

来源：https://stackoverflow.com/questions/74090834/spring-security-403-forbidden-and-not-call-loaduserbyusername

1条答案

按热度按时间

ev7lccsx1#

在UserEntity类的getAuthorities()方法中，您将返回一个空List，因此Spring-Security没有看到经过身份验证的用户的权限(角色)。
按如下方式更改此方法：

@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
    return Collections.singletonList(new SimpleGrantedAuthority(role));
}

赞(0）回复(0）举报 2022-10-23

我来回答

Spring SECURITY-403已禁用，不调用loadUserByUsername()

1条答案

相关问题

热门标签

最新问答