Question

我需要帮助解决这个问题... 我无法在我的安全配置文件中保护我的控制器。但我可以使用

在我的控制器中完成

@PreAuthorize("hasAuthority('ROLE_ADMIN')")

但这真的很烦人，我想从我的安全配置中做到这一点。文件

这是我的WebSecurityconfigurerAdapter：

@Configuration
//@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = false)
//@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
//@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    CustomAuthenticationProvider customAuthenticationProvider;

    @Autowired
    CustomUserDetailsService cuds;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .userDetailsService(cuds)
                .passwordEncoder(passwordEncoder())
                .and()
                .authenticationProvider(customAuthenticationProvider);
    }

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/**").authenticated()
                .antMatchers("/test").authenticated()
                .antMatchers("/usuarios/**").hasRole("ADMIN");
    }
}

这是我的Oauth2Configuration：

@Configuration
public class Oauth2Configuration {

    private static final String RESOURCE_ID = "restservice";

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

        @Autowired
        private CustomLogoutSuccessHandler customLogoutSuccessHandler;

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) {
            resources
                    .resourceId(RESOURCE_ID);
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                    // Logout
                    .logout()
                    .logoutUrl("/oauth/logout")
                    .logoutSuccessHandler(customLogoutSuccessHandler)
                    .and()
                    //Session management
                    .sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                    .and()
                    //URI's to verify
                    .authorizeRequests()
                    .antMatchers("/oauth/logout").permitAll()
                    .antMatchers("/**").authenticated()
                    .antMatchers("/usuarios/**").hasRole("ADMIN");
        }
    }

我试图使用权威和角色，但没有用。我知道我做错了什么？

Answer 1

非常感谢Yannic Klem我得到了答案，订单有问题

首先在我的WebSecurityConfigurerAdapter上设置我的身份验证＆＃34; usuarios＆＃34;

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/usuarios").authenticated();
    }

之后，在Oauth2Configuration设置了我的作者身份。

@Override
    public void configure(HttpSecurity http) throws Exception {
        http
                // Logout
                .logout()
                .logoutUrl("/oauth/logout")
                .logoutSuccessHandler(customLogoutSuccessHandler)
                .and()
                //Session management
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                //URI's to verify
                .authorizeRequests()
                .antMatchers("/oauth/logout").permitAll()                    
                .antMatchers("/usuarios/**").hasRole("ADMIN");
    }

现在一切都很好。谢谢大家！

授权角色Spring-boot Oauth2~Restful API

1 个答案: