我使用Spring Boot 1.2.1和嵌入式Tomcat以及Spring Boot Starter Security。此外,我对一些web服务使用RestController,我希望只有某些具有某些角色的用户才能访问web服务。但它不起作用,安全性不使用RoleVoter来检查角色。通过以下示例,用户" user"虽然他没有合适的角色,但可以访问网络服务!
首先是我的应用程序配置
@Configuration
@EnableJms
@ImportResource( "classpath:net/bull/javamelody/monitoring-spring.xml" )
@EnableAspectJAutoProxy
@ComponentScan
@PropertySource( "classpath:application.properties" )
@EnableAutoConfiguration
@EnableGlobalMethodSecurity( securedEnabled = true )
public class ItemConfiguration { ... }
现在我的安全配置
@Configuration
@EnableWebSecurity
@Order( SecurityProperties.ACCESS_OVERRIDE_ORDER )
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure( AuthenticationManagerBuilder auth ) throws Exception {
auth.inMemoryAuthentication().withUser( "user" ).password( "password" ).roles( "USER" );
}
@Override
protected void configure( HttpSecurity http ) throws Exception {
http.authorizeRequests().anyRequest().fullyAuthenticated();
http.httpBasic();
http.csrf().disable();
}
}
Restcontroller
@RestController
public class QueryController {
@Secured( { "ROLE_ADMIN" } )
@RequestMapping( value = "/", method = { POST }, consumes = { MediaType.APPLICATION_JSON_VALUE },
produces = MediaType.APPLICATION_JSON_VALUE )
ResponseEntity< List< BaseEntity > > query( @RequestBody @Valid final ItemQueryRequestData request )
throws Exception {
return new ResponseEntity<>( "", HttpStatus.OK );
}
}
application.properties
spring.data.mongodb.database = item
spring.data.mongodb.host = ${MONGODB_URI:pimpoc01}
spring.data.mongodb.port = ${MONGODB_PORT:27017}
spring.activemq.broker-url=${BROKER_URL:tcp://pimpoc01:61616}
spring.activemq.user=
spring.activemq.password=
spring.activemq.pooled=true
queue.item.in.channelId = item-in
queue.item.in.concurrentConsumers = 1
queue.item.in.destination = item-in
queue.itemOption.in.channelId = itemOption-in
queue.itemOption.in.concurrentConsumers = 1
queue.itemOption.in.destination = itemOption-in
queue.style.in.channelId = style-in
queue.style.in.concurrentConsumers = 1
queue.style.in.destination = style-in
queue.concurrentConsumers = 50
queue.dataCreation.response = dataCreationResponse
queue.structureAttributeValue.in.channelId = structureAttributeValue-in
queue.structureAttributeValue.in.concurrentConsumers = 1
queue.structureAttributeValue.in.destination = structureAttributeValue-in
validation.endpoint = ${VALIDATOR_URI:http://pimpoc01:8080/validator}
感谢您的帮助!
答案 0 :(得分:0)
从安全配置中删除以下行。我认为@Order注释覆盖了基本身份验证。
@Order( SecurityProperties.ACCESS_OVERRIDE_ORDER )
答案 1 :(得分:0)
我遇到了类似的问题并通过公开我的控制器方法解决了问题,即制作QueryController.query方法public。