我尝试使用@Secured,但它并未授予所有角色用户权限。
我的配置是这样的:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled=true)
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
public void globalConfig(AuthenticationManagerBuilder auth, DataSource dataSource) throws Exception{
auth.jdbcAuthentication()
.dataSource(dataSource)
.passwordEncoder(passwordEncoder())
.usersByUsernameQuery("select username as principal, password as credentials, true from users where username = ?")
.authoritiesByUsernameQuery("select u.username as principal, r.role as role from users u, role r where"
+ " u.roule_id = r.role and username = ?");
// .rolePrefix("role_");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/css/**","/fonts/**","/js/**","/app/**","/images/**","/partials/**").permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/")
.failureUrl("/login?error=true")
.permitAll()
// .successHandler(successHandler())
.and().logout().logoutSuccessUrl("/login?logout")
.and().exceptionHandling().accessDeniedPage("/pages/303.html");
}
@Bean
public PasswordEncoder passwordEncoder(){
PasswordEncoder encoder = new BCryptPasswordEncoder();
return encoder;
}
@Bean
public AuthenticationSuccessHandler successHandler() {
return new CustomLoginSuccessHandler("/");
}
}
和我的服务:
@RestController
public class ServerService {
...
@Secured("root")
@RequestMapping(value="getServers",method = RequestMethod.GET)
public List<ServerDTO> getServers(@RequestParam String st) {
...
}
}
答案 0 :(得分:1)
您应该尝试@Secured("ROLE_ROOT")
Spring @Secured正在等待与原始角色略有不同的安全属性。
的更多详情前缀&#34;
ROLE_&#34;是一个标记,表示应该与用户的权限进行简单的比较。换句话说,应该使用正常的基于角色的检查。 Spring Security中的访问控制不仅限于使用简单角色(因此使用前缀来区分不同类型的安全属性)