spring-security Spring 网络流量:已忽略React用户详细信息

xv8emn3q  于 2022-11-11  发布在  Spring
关注(0)|答案(1)|浏览(93)

下面是我的安全配置:

@Configuration
@EnableWebFluxSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration {

    @Bean
    public ReactiveJwtDecoder reactiveJwtDecoder() throws Exception {
        Mac mac = Mac.getInstance("HmacSHA256");
        SecretKeySpec secretKey = new SecretKeySpec("JAC1O17W1F3QB9E8B4B1MT6QKYOQB36V".getBytes(), mac.getAlgorithm());

        return NimbusReactiveJwtDecoder.withSecretKey(secretKey)
            .macAlgorithm(MacAlgorithm.HS256)
            .build();
    }

    @Bean
    public ReactiveUserDetailsService userDetailsService(
        UsuariRepository usuariRepository,
        UserDetailsMapper userDetailsMapper
    ) {
        return new GitUserDetailsService(usuariRepository, userDetailsMapper);
    }

    @Bean
    SecurityWebFilterChain springSecurityFilterChain(
        ServerHttpSecurity http
    ) {
        final CorsConfigurationSource configurationSource = serverWebExchange -> {
            final var cc = new CorsConfiguration();
            cc.addAllowedOrigin("*");
            cc.addAllowedMethod("*");
            cc.addAllowedHeader("*");

            return cc;
        };

        Customizer<CorsSpec> corsCustomizer = (corsSpec) -> corsSpec.configurationSource(configurationSource);
        return http
            .httpBasic(HttpBasicSpec::disable)
            .cors(corsCustomizer)
            .csrf(CsrfSpec::disable)
            .formLogin(FormLoginSpec::disable)
            .anonymous(AnonymousSpec::disable)
            .logout(LogoutSpec::disable)
            .authorizeExchange((authorize) -> authorize
                .pathMatchers("/actuator/**").permitAll()
                .pathMatchers("/gicar/**").permitAll()
                .anyExchange().authenticated()
            )
            .oauth2ResourceServer(OAuth2ResourceServerSpec::jwt)
            .build();
    }

}

如您所见,我正尝试使用UserDetailsService来加载用户详细信息表单数据库。
在我的方法中,我使用:

@RestController
@RequestMapping(value = "/qdcf")
public class QdCFController {

    private final QdCFService qdcfService;

    @PreAuthorize("hasRole('ADMIN')")
    @GetMapping
    public Mono<PageableResponseModel<QdCFPresenter>> all(Pageable pageable) {
        return this.qdcfService.getQdCFs(pageable);
    }

}

我正在尝试使用此请求访问我的代码:

curl -s -X GET "http://$BACKEND/qdcf" -H "Authorization: Bearer $JWT_TOKEN"

我希望调用ReactiveUserDetailsService。但它被忽略了。
有什么想法吗?

1sbrub3j

1sbrub3j1#

@EnableGlobalMethodSecurity(prePostEnabled = true)替换为@EnableReactiveMethodSecurity。第一个用于非React性Spring安全。

相关问题