[使用hasAuthority或hasRole时角色访问不起作用。] [1] 代码:
private static String REALM = "MY_TEST_REALM";
@Override
protected void configure(HttpSecurity http) throws Exception {
JwtWebSecurityConfigurer
.forRS256(apiAudience, issuer)
.configure(http)
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/es/status").permitAll()
.antMatchers(HttpMethod.GET, "/login").permitAll()
.antMatchers("/users/all").hasRole(Role.ADMIN.getValue())
// .antMatchers("/users/all").hasRole("ADMIN") this also donot
work
.antMatchers("/v2/api-docs", "/configuration/ui", "/swagger-resources", "/configuration/security",
"/swagger-ui.html", "/webjars/**", "/swagger-resources/configuration/ui", "/swagger-ui.html")
.permitAll()
.anyRequest().authenticated();
}
}
错误:
{
"timestamp": "2018-07-23T06:07:25.962+0000",
"status": 403,
"error": "Forbidden",
"message": "Forbidden",
"path": "/users/all"
}
使用@PreAuthorize和@Secured时出错
{
"globalError": true,
"errorMessage": "You don't have permission to perform this request,
authorization has been denied!",
"status": 403,
"detail": "org.springframework.security.access.AccessDeniedException",
"timeStamp": 1532327263857,
"errors": {}
}
将所有Auth0用户存储在MongoDb中。现在,我想使用我的ADMIN获取所有用户详细信息,但管理员访问权限不起作用。 @PreAuthorize和@Secured也不起作用。