无法与其他角色(然后是超级用户)一起操作

时间:2018-10-30 12:04:52

标签: spring-boot spring-security

我将弹簧靴2与弹簧安全性和百里香一起使用

我有很多角色

超级用户 客户支持 集成商

在我的课堂上

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig{

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private AuthenticationEventPublisher authenticationEventPublisher;

    @Autowired
    private CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler;

    @Autowired
    private CustomLogoutHandler customLogoutHandler;

    @Configuration
    public class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.authenticationEventPublisher(authenticationEventPublisher).userDetailsService(userDetailsService)
                    .passwordEncoder(passwordEncoder);
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                    .antMatchers("/css/**", "/webjars/**", "/js/**", "/img/**", "/")
                    .permitAll().anyRequest().authenticated().and().formLogin().loginPage("/login").permitAll()
                    .successHandler(customAuthenticationSuccessHandler)
                    .and().logout().logoutUrl("/logout").logoutSuccessHandler(customLogoutHandler)
                    .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .deleteCookies("JSESSIONID") .invalidateHttpSession(true)
                    .logoutSuccessUrl("/login").and().csrf().disable();
        }

        @Override
        public void configure(WebSecurity web) throws Exception {
            web.ignoring().antMatchers("/css/**", "/webjars/**", "/js/**", "/img/**");
        }
    }

}

在百里香中,我在某些地方有这种代码

<th:block sec:authorize="hasAnyRole('CustomerSupport')">
    ....
</th:block>

当我与没有此角色的用户建立联系时,我看不到任何东西,正常。

我有一个休息控制器

@PreAuthorize("hasAnyRole('Superuser', 'Integrator', CustomerSupport') ")
@PutMapping(value = "/{id}")
public ResponseEntity updateCar(@PathVariable("id") Integer id, @RequestBody CarDto dto) {
    ...
}

当角色为:CustomerSupport的用户致电updateCar时,他得到

{   “ timestamp”:“ 2018-10-30T11:36:46.603 + 0000”,   “状态”:403,   “错误”:“禁止”,   “ message”:“ Forbidden”,   “路径”:“ / rest / car / 5000” }

1 个答案:

答案 0 :(得分:2)

您在此行中缺少'以获得客户支持。

@PreAuthorize("hasAnyRole('Superuser', 'Integrator', 'CustomerSupport') "
相关问题
最新问题