java—“访问被拒绝”,即使在springboot 2.3.3.0版本中提供的证书是正确的

vhmi4jdf  于 2021-09-30  发布在  Java
关注(0)|答案(0)|浏览(246)

我想在单个rest端点上启用双向ssl。以下是配置:

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

@Configuration
@EnableWebSecurity(debug= true)
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class X509SecurityConfig extends WebSecurityConfigurerAdapter {

    private static final Logger LOGGER = LogManager.getLogger(X509SecurityConfig.class);

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
        .antMatchers(HttpMethod.POST,"/hello").hasRole("USER")
        .and().x509().subjectPrincipalRegex("CN=(.*?)(?:,|$)").userDetailsService(userDetailsService())
        .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);

        http.csrf().disable();
        LOGGER.debug("Setting client certificate based authentication done!");

    }

    @Bean
    public UserDetailsService userDetailsService() {
        return (UserDetailsService) username ->  {
                LOGGER.debug("Verifying username from certicate's CN");
                if (username.equals("bob")) {
                    LOGGER.debug("CN is : " + username);
                    return new User(username, "", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));
                } else if (username.equals("john")) {
                    LOGGER.debug("CN is : " + username);
                    return new User(username, "", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));
                } else {
                    LOGGER.debug("CN not available under username list!");
                    throw new UsernameNotFoundException(String.format("User %s not found", username));
                }
        };
    }
}

我也在rest端点添加了@preauthorize(“hasauthority('role_user')”)。使用的父项是:

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.3.3.RELEASE</version>
    <relativePath /> 
</parent>

并且依赖关系是:

<dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
</dependency>

调用rest api时,响应始终为403禁止,并且在日志中显示“已授予的权限:角色\u匿名”,并且配置被正确拾取,正如我在日志中看到的,rest端点的“属性:[[authorize:'hasauthority('role\u user')””。
根据UserDetails服务,似乎没有发生用户授权。你知道怎么解决这个问题吗?
提前谢谢你的帮助!

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题