使用@PreAuthorize时出错

时间:2016-09-01 10:02:26

标签: spring-security spring-data-rest

我正在开发一个Spring Boot应用程序,我尝试使用@PreAuthorize注释来过滤对User资源的访问,以便用户只能访问自己的资源。这是我的UserRepository:

@Repository
@RepositoryRestResource
public interface MyUserRepository extends PagingAndSortingRepository<MyUser, UUID> {
    @Override
    @PreAuthorize("principal.getId().equals(#uuid)")
    MyUser findOne(UUID uuid);

    MyUser findByUsername(@Param("username") String username);

    MyUser findByEmail(@Param("email") String email);

}

您可以看到堆栈跟踪here

stacktrace中的某处引用类WebSecurityConfig第42行。这是以下类的configureAuthentication方法:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private RestAuthenticationEntryPoint unauthorizedHandler;

    @Autowired
    private BasicUserDetailsService userDetailsService;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Autowired
    public void configureAuthentication(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder
                .userDetailsService(this.userDetailsService)
                .passwordEncoder(passwordEncoder());
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public JwtAuthenticationTokenFilter authenticationTokenFilterBean() throws Exception {
        JwtAuthenticationTokenFilter authenticationTokenFilter = new JwtAuthenticationTokenFilter();
        authenticationTokenFilter.setAuthenticationManager(authenticationManagerBean());
        return authenticationTokenFilter;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http

            // we don't need CSRF because our token is invulnerable
            .csrf().disable()

            .exceptionHandling()
                .authenticationEntryPoint(unauthorizedHandler)
                .and()

            // don't create session
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()

            .authorizeRequests()
                .antMatchers(HttpMethod.POST, "/login").permitAll()
                .antMatchers(HttpMethod.POST, "/myUsers").permitAll()
                .antMatchers(HttpMethod.PUT).authenticated()
                .antMatchers(HttpMethod.POST).authenticated()
                .antMatchers(HttpMethod.DELETE).authenticated()
                .antMatchers(HttpMethod.PATCH).authenticated()
                .anyRequest().permitAll();

        // Custom JWT based security filter
        http.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);

        http.addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class);

    }
}

谢谢!

1 个答案:

答案 0 :(得分:0)

更新到Spring boot 1.4解决了这个问题。

相关问题
最新问题