我正在努力学习Spring Security ,因为我面临基于角色的安全性问题。
有两个表user和role具有一对多的属性。
当我以spring默认形式输入用户名和密码时,我通过loaduserbyusername()方法成功地获取正确的用户详细信息。但在屏幕上我得到一个信息
此应用程序没有针对/error的显式Map,因此您将此视为回退。
出现意外错误(类型=禁止,状态=403)。被禁止的
只有@getmapping(“/user”)方法才能正常工作。
这是控制器部分
@RestController
@RequestMapping("/admin")
public class AdminController {
@Autowired
UserRepository userRepo;
@Autowired
RoleRepository roleRepo;
@PreAuthorize("hasAnyRole('ADMIN')")
@PostMapping("/add")
public String addUserByAdmin(@RequestBody User user)
{
user.getRoles().forEach(role -> role.setUser(user));
userRepo.save(user);
return "User added Successfully";
}
@PreAuthorize("hasAnyRole('ADMIN')")
@GetMapping("/process")
public String process()
{
return "Processing....";
}
@GetMapping("/user")
public String users() // This code is working properly
{
System.out.println("U r in user area's");
return "User's space";
}
}配置部分
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableJpaRepositories(basePackageClasses = UserRepository.class)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
protected void configure(HttpSecurity http)throws Exception
{
http.csrf().disable();
http.authorizeRequests()
.antMatchers("/admin/**").authenticated()
.anyRequest().permitAll()
.and()
.formLogin().permitAll();
}
}服务部分
@Service
public class CustomeUserDetailsService implements UserDetailsService
{
@Autowired
UserRepository userRepo;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User u = userRepo.findByName(username);
CustomeUserDetails cUserDetails = new CustomeUserDetails();
if(u == null)
{
throw new UsernameNotFoundException("User "+username +"not found");
}
else
{
cUserDetails.setUser(u);
}
return cUserDetails;
}
}我错在哪里?
如果我想再添加一个不需要任何身份验证和授权的url,怎么添加?
暂无答案!
目前还没有任何答案,快来回答吧!