我的UsersRepository出现问题,如下所示。
我有一个用户存储库,仅在以下情况下,我试图显示数据库中的所有用户 登录的用户是“管理员”。
但是,当我扩展JpaRepository时,以下代码返回所有用户。当我扩展CrudRepository时,它工作正常。
这是已知限制还是我做错了什么?
@Repository
public interface UserRepository extends JpaRepository<User, Long> {
List<User> findById(List<Long> userIds);
Optional<User> findByUsername(String username);
Boolean existsByUsername(String username);
}
{
@PreAuthorize("hasRole('test')")
@RequestMapping(value = "/api/users", method = RequestMethod.GET)
public @ResponseBody
List<User> findAll(Sort var1);
}
添加安全配置弹簧类以显示安全设置
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(
securedEnabled = true,
jsr250Enabled = true,
prePostEnabled = true
)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;
@Autowired
CustomUserDetailsService customUserDetailsService;
@Bean
public JwtAuthenticationFilter jwtAuthenticationFilter() {
return new JwtAuthenticationFilter();
}
private String[] permitted = new String[] {
"/static/css/**","/static/media/**","/static/js/**", "/static/manifest.json"
};
@Bean(BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
// this will create the auth manager that we will use to auth the user
@Override
public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder
.userDetailsService(customUserDetailsService)
.passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
// .requiresChannel()
// .anyRequest()
// .requiresSecure()
// .and()
.authorizeRequests()
.antMatchers(permitted)
.permitAll()
.antMatchers("/api/auth/**", "/api/", "/")
.permitAll()
.anyRequest()
.permitAll();
//.authenticated();
// Add our custom JWT security filter
http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
答案 0 :(得分:0)
您可以显示您对安全性类的实施吗?您是否用@EnableGlobalMethodSecurity(prePostEnabled = true)
注释了?