@PreAuthorize无法与prePostEnabled = true一起使用

时间:2018-11-02 20:24:52

标签: java spring spring-boot spring-security spring-security-oauth2

似乎使用enter image description here

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
}

@PreAuthorized无效:

@PreAuthorize("permitAll()")
@RequestMapping(value = "/users/change-email", method = RequestMethod.GET)
public void changeEmail() {
    // ..
}

我也有@EnableGlobalMethodSecurity(prePostEnabled = true),结果相同:

@PreAuthorize("permitAll()")
@Transactional
public void changeEmail(HttpServletResponse response, String token) throws IOException {
     // ..
}

我不清楚为什么-有任何想法吗?

这就是我配置ResourceServerConfigurerAdapter的方式:

@Configuration
@EnableResourceServer
public class ResourceServer extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {

        http
                .exceptionHandling()
                    .authenticationEntryPoint(new AuthFailureHandler())
                .and()
                .authorizeRequests()
                    .anyRequest()
                    .authenticated();
    }
}

此刻我得到一个AccessDeniedException

org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]

0 个答案:

没有答案