我有这个安全等级:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("{noop}user").authorities("READ");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and().httpBasic()
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
我的控制器方法是
@PostMapping
@PreAuthorize("hasAnyAuthority('WRITE')")
public ResponseEntity registerEmployee...
使用用户user可以阻止访问registerEmployee,但即使user没有WRITE权限,我仍然可以使用它,只有READ