我正在开发一个暴露一堆REST-APIS的Spring Boot应用程序,试图应用一个SecurityFilter,它成功但不完全,我试图通过角色和权限来使用这些Web服务,但是一次登录它并不关心我是否可以访问该资源。
Spring Boot - Spring Security
这是我的安全码:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private BCryptPasswordEncoder bCyptPasswordEncoder;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCyptPasswordEncoder);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.formLogin();
http.authorizeRequests().antMatchers("/login/**", "/register/**").permitAll();
http.authorizeRequests().antMatchers(HttpMethod.POST, "/studentResource/**").hasAuthority("ADMIN");
http.authorizeRequests().anyRequest().authenticated();
}
}
@Service
public class UserDetalsServiceImpl implements UserDetailsService {
@Autowired
private UnivAccountService accountService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
AppUser user = accountService.findByUsername(username);
if (user == null)
throw new UsernameNotFoundException(username);
Collection<GrantedAuthority> authorities = new ArrayList<>();
user.getAuRoles().forEach(r -> authorities.add(new SimpleGrantedAuthority(r.getRole())));
return new User(user.getAuUsername(), user.getAuPassword(), authorities);
}
}
我的REST-API
@RestController
@RequestMapping(value = "/studentResource")
public class UnivStudentApi {
@Autowired
private UnivStudentService studentService;
@PostMapping(value = "/getStudentsBySearchCriteria")
public <T> Pagination<UnivStudentDto> getStudentsBySearchCriteria(@RequestBody SearchRequest searchRequest,
@RequestParam int page, @RequestParam int size) {
return studentService.getStudentsBySearchCriteria(searchRequest, page, size);
}
@PostMapping(value = "/getStudentByIden/{stdIden}")
public UnivStudentDto getStudent(String stdIden) {
return studentService.getStudent(stdIden);
}
@PostMapping(value = "/addLaboratory")
public UnivOperationResponse persistNewLaboratory(@RequestBody UnivLaboratoryDto univLab) {
return studentService.persistNewLaboratory(univLab);
}
@PostMapping(value = "/add")
public UnivOperationResponse persistStudent(@RequestBody UnivStudentDto student) {
return studentService.persistStudent(student, student.getUstLab().getUlaIden());
}
@PostMapping(value = "/merge")
public UnivOperationResponse mergeStudent(@RequestBody UnivStudentDto student) {
return studentService.mergeStudent(student);
}
@PostMapping(value = "/delete")
public UnivOperationResponse deleteStudent(@RequestBody Long studentIden) {
return studentService.deleteStudent(studentIden);
}
@GetMapping(value = "/getStudents")
public Pagination<UnivStudentDto> getStudents(@RequestParam int page, @RequestParam int size) {
return studentService.getStudents(page, size);
}
@GetMapping(value = "/getStudentsByKW/{KW}")
public <T> Pagination<UnivStudentDto> getStudentsByKeyWord(@PathVariable("KW") T t, @RequestParam int page,
@RequestParam int size) {
return studentService.getStudentsByKeyWord(t, page, size);
}
@PostMapping(value = "/findPhdDoc")
public UnivStudentDto getStudent(@RequestBody Long studentIden) {
return studentService.getStudent(studentIden.toString());
}
}
我的数据库中有一个用户:用户名:用户,密码用户,ROLE:USER
例如,如果想要访问以下URL成功登录后:
http://localhost:8080/studentResource/getStudents?page=0&size=3
我希望403 禁止响应代码,但它不会阻止我,它会将结果渲染为好像我可以使用该方法。
提前感谢任何答案,解决方案。