嵌入式Tomcat的Spring Boot忽略方法角色

时间:2015-03-10 09:24:25

标签: java spring tomcat spring-security spring-boot

我使用Spring Boot 1.2.1和嵌入式Tomcat以及Spring Boot Starter Security。此外,我对一些web服务使用RestController,我希望只有某些具有某些角色的用户才能访问web服务。但它不起作用,安全性不使用RoleVoter来检查角色。通过以下示例,用户" user"虽然他没有合适的角色,但可以访问网络服务!

首先是我的应用程序配置

@Configuration
@EnableJms
@ImportResource( "classpath:net/bull/javamelody/monitoring-spring.xml" )
@EnableAspectJAutoProxy
@ComponentScan
@PropertySource( "classpath:application.properties" )
@EnableAutoConfiguration
@EnableGlobalMethodSecurity( securedEnabled = true )
public class ItemConfiguration { ... }

现在我的安全配置

@Configuration
@EnableWebSecurity
@Order( SecurityProperties.ACCESS_OVERRIDE_ORDER )
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure( AuthenticationManagerBuilder auth ) throws Exception {
    auth.inMemoryAuthentication().withUser( "user" ).password( "password" ).roles( "USER" );
  }

  @Override
  protected void configure( HttpSecurity http ) throws Exception {
    http.authorizeRequests().anyRequest().fullyAuthenticated();
    http.httpBasic();
    http.csrf().disable();
  }
}

Restcontroller 

@RestController
public class QueryController {

  @Secured( { "ROLE_ADMIN" } )
  @RequestMapping( value = "/", method = { POST }, consumes = { MediaType.APPLICATION_JSON_VALUE },
      produces = MediaType.APPLICATION_JSON_VALUE )
  ResponseEntity< List< BaseEntity > > query( @RequestBody @Valid final ItemQueryRequestData request )
      throws Exception {
      return new ResponseEntity<>( "", HttpStatus.OK );
  }
}

application.properties 

spring.data.mongodb.database = item
spring.data.mongodb.host = ${MONGODB_URI:pimpoc01}
spring.data.mongodb.port = ${MONGODB_PORT:27017}

spring.activemq.broker-url=${BROKER_URL:tcp://pimpoc01:61616}
spring.activemq.user=
spring.activemq.password=
spring.activemq.pooled=true

queue.item.in.channelId = item-in
queue.item.in.concurrentConsumers = 1
queue.item.in.destination = item-in

queue.itemOption.in.channelId = itemOption-in
queue.itemOption.in.concurrentConsumers = 1
queue.itemOption.in.destination = itemOption-in

queue.style.in.channelId = style-in
queue.style.in.concurrentConsumers = 1
queue.style.in.destination = style-in

queue.concurrentConsumers = 50
queue.dataCreation.response = dataCreationResponse

queue.structureAttributeValue.in.channelId = structureAttributeValue-in
queue.structureAttributeValue.in.concurrentConsumers = 1
queue.structureAttributeValue.in.destination = structureAttributeValue-in

validation.endpoint = ${VALIDATOR_URI:http://pimpoc01:8080/validator}

感谢您的帮助!

2 个答案:

答案 0 :(得分:0)

从安全配置中删除以下行。我认为@Order注释覆盖了基本身份验证。

@Order( SecurityProperties.ACCESS_OVERRIDE_ORDER )

答案 1 :(得分:0)

我遇到了类似的问题并通过公开我的控制器方法解决了问题,即制作QueryController.query方法public

相关问题
最新问题