我正在尝试保护我的春季启动应用程序的一些urlpattern(1.21) 看起来像我的antMatchers(“/ report **”)。 hasRole(“REPORT”)被忽略。 我改变了我的antMatchers的顺序,但这没有改变。
e.g。如果我浏览任何像localhost:9000 /报告/书籍我需要登录,它只适用于我的用户名密码组合,但我没有将ROLE REPORT 设置为我的用户“user”。所以我希望我不被允许访问报告网站,但会显示该页面。
如何更改只有具有Role REPORT的用户才能访问该网址?
EDIT1 更新了源文件
Application.java
@SpringBootApplication
@EnableTransactionManagement
public class Application {
public static void main(String[] args) {
@SuppressWarnings("unused")
ApplicationContext ctx = SpringApplication.run(Application.class, args);
}
}
MvcConfig.java
@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
}
@Bean
public EmbeddedServletContainerCustomizer containerCustomizer(){
return new MyCustomizer();
}
private static class MyCustomizer implements EmbeddedServletContainerCustomizer {
@Override
public void customize(ConfigurableEmbeddedServletContainer factory) {
factory.addErrorPages(new ErrorPage(HttpStatus.NOT_FOUND, "/error/404"));
factory.addErrorPages(new ErrorPage(Exception.class, "/error/exception"));
}
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/error/**").addResourceLocations("classpath:/static/");
registry.addResourceHandler("/static/**").addResourceLocations("classpath:/static/");
registry.addResourceHandler("/css/**").addResourceLocations("classpath:/static/css/");
registry.addResourceHandler("/images/**").addResourceLocations("classpath:/static/images/");
registry.addResourceHandler("/js/**").addResourceLocations("classpath:/static/js/");
}
}
WebSecurityConfig.java
@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().enableSessionUrlRewriting(false);
http
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/report**").hasRole("REPORT")
.anyRequest().fullyAuthenticated();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("user").roles("USER").and()
.withUser("admin").password("admin").roles("ADMIN");
}
}
答案 0 :(得分:2)
我需要更改以下内容:
WebSecurityConfig
@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().enableSessionUrlRewriting(false);
http
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/report/**").hasRole("REPORT")
.anyRequest().fullyAuthenticated()
.and().exceptionHandling().accessDeniedPage("/error/403");
}
@Override
@Order(Ordered.HIGHEST_PRECEDENCE)
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("user").roles("USER").and()
.withUser("admin").password("admin").roles("ADMIN","REPORT");
}
}