java 实现WebSecurityConfigurerAdapter后返回为禁止403的所有请求

ev7lccsx  于 2023-01-24  发布在  Java
关注(0)|答案(2)|浏览(200)

我刚刚将WebSecurityConfigurerAdapter添加到我的项目中,尝试第一次创建用户逻辑(登录名-密码-哪个用户可以对我的应用程序做什么),但确实出了问题。
每当我尝试向任何路径或任何类型的方法发出请求时,它都会返回403 Forbidden!我不知道该怎么做,因为这是我第一次处理任何类型的安全逻辑。
这是我的代码:

@Configuration
@EnableWebSecurity
@ComponentScan
@EnableGlobalMethodSecurity(
        prePostEnabled = true,
        securedEnabled = true,
        jsr250Enabled = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter{

        @Autowired
        private UserDetailsService userDetailsService;

        @Bean
        AuthenticationProvider authenticationProvider() {
            DaoAuthenticationProvider provider
                     = new DaoAuthenticationProvider();
            provider.setUserDetailsService(userDetailsService);
            provider.setPasswordEncoder(new BCryptPasswordEncoder());
            return  provider;
        }
        @Override
        protected void configure(HttpSecurity http) throws Exception {
             http
                .authorizeRequests()
                .antMatchers(HttpMethod.POST, "/**")
                .hasAuthority("ADMIN")
                .antMatchers(HttpMethod.DELETE, "/**")
                .hasAuthority("ADMIN")
                .antMatchers(HttpMethod.PUT, "/**")
                .hasAuthority("ADMIN")
                .antMatchers(HttpMethod.GET, "/**")
                .hasAuthority("ADMIN") 
                .antMatchers(HttpMethod.GET, "/tools")
                .hasAuthority("USER")
                .anyRequest()
                .authenticated()
                .and()
                .cors()
                .and()
                .exceptionHandling()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .csrf()
                .disable();

        }

  
}

我也有这两个类(我下面的一个教程和家伙做了这两个):

public class CustomUserDetails implements UserDetails {
/**
 * 
 */
private static final long serialVersionUID = 1L;
private Users user;

public CustomUserDetails(Users user) {
    super();
    this.user = user;
}

@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
    return Collections.singleton(new SimpleGrantedAuthority(user.getRole()));
}

@Override
public String getPassword() {
    return user.getPassword();
}

@Override
public String getUsername() {
    return user.getLogin();
}

public String getEmail() {
    return user.getEmail();
}

@Override
public boolean isAccountNonExpired() {
    return true;
}

@Override
public boolean isAccountNonLocked() {
    return true;
}

@Override
public boolean isCredentialsNonExpired() {
    return true;
}

@Override
public boolean isEnabled() {
    return true;
}

}
以及

public class CustomUserDetails implements UserDetails {
    /**
     * 
     */
    private static final long serialVersionUID = 1L;
    private Users user;

    public CustomUserDetails(Users user) {
        super();
        this.user = user;
    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return Collections.singleton(new SimpleGrantedAuthority(user.getRole()));
    }

    @Override
    public String getPassword() {
        return user.getPassword();
    }

    @Override
    public String getUsername() {
        return user.getLogin();
    }

    public String getEmail() {
        return user.getEmail();
    }

    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return true;
    }
}

如果我遗漏了什么,而你真的想帮忙,这是完整的代码:https://github.com/vitoriaacarvalho/backend-challenge-very-useful-tools-to-remember-
我已经感谢(这么多)任何人谁回应,并试图帮助!

k7fdbhmy

k7fdbhmy1#

当我查看您的代码时,您没有在返回用户信息的服务中设置用户的特权。
您已在UserService中创建了一个用户,并且仅指定了ID信息。在这种情况下,您无法访问您为该角色指定的任何URL。
如果您按如下所示编辑代码,您的问题将得到解决。

@Service
public class CustomUserDetailsService implements UserDetailsService{

@Autowired
private UserRepository repo;

@Override
public UserDetails loadUserByUsername(String login) throws UsernameNotFoundException {
    Optional<Users> user= repo.findByLogin(login);
    if(user==null) {
        throw new UsernameNotFoundException("User not found");
    }
    //return new CustomUserDetails(user.get());
    return new User(login, login, Collections.singletonList(new SimpleGrantedAuthority("ADMIN")))
}

}

6rqinv9w

6rqinv9w2#

首先你必须在REST API中分配角色。然后登录到正确的用户角色。

相关问题