@PreAuthorize注释不适用于Spring中的JpaRepository

时间:2019-02-06 13:02:36

标签: java api spring-boot spring-data-jpa repository

我的UsersRepository出现问题,如下所示。

我有一个用户存储库,仅在以下情况下,我试图显示数据库中的所有用户     登录的用户是“管理员”。

但是,当我扩展JpaRepository时,以下代码返回所有用户。当我扩展CrudRepository时,它工作正常。

这是已知限制还是我做错了什么?

   @Repository
    public interface UserRepository extends JpaRepository<User, Long> {

    List<User> findById(List<Long> userIds);

    Optional<User> findByUsername(String username);

    Boolean existsByUsername(String username);

}

   {

    @PreAuthorize("hasRole('test')")
    @RequestMapping(value = "/api/users", method = RequestMethod.GET)
    public @ResponseBody
    List<User> findAll(Sort var1);


}

添加安全配置弹簧类以显示安全设置

    @Configuration
    @EnableWebSecurity
    @EnableGlobalMethodSecurity(
        securedEnabled = true,
        jsr250Enabled = true,
        prePostEnabled = true
)
     public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private JwtAuthenticationEntryPoint unauthorizedHandler;

    @Autowired
    CustomUserDetailsService customUserDetailsService;


    @Bean
    public JwtAuthenticationFilter jwtAuthenticationFilter() {
        return new JwtAuthenticationFilter();
    }

    private String[] permitted = new String[] {
            "/static/css/**","/static/media/**","/static/js/**", "/static/manifest.json"
    };

    @Bean(BeanIds.AUTHENTICATION_MANAGER)
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
    // this will create the auth manager that we will use to auth the user
    @Override
    public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder
                .userDetailsService(customUserDetailsService)
                .passwordEncoder(passwordEncoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .cors()
                .and()
                .csrf()
                .disable()
                .exceptionHandling()
                .authenticationEntryPoint(unauthorizedHandler)
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
               // .requiresChannel()
               // .anyRequest()
               // .requiresSecure()
               // .and()
                .authorizeRequests()
                .antMatchers(permitted)
                .permitAll()
                .antMatchers("/api/auth/**", "/api/", "/")
                .permitAll()
                .anyRequest()
                .permitAll();
                //.authenticated();

        // Add our custom JWT security filter
        http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

}

1 个答案:

答案 0 :(得分:0)

您可以显示您对安全性类的实施吗?您是否用@EnableGlobalMethodSecurity(prePostEnabled = true)注释了?