防止没有权限的用户访问Spring Security中的控制器方法

时间:2019-03-28 02:23:16

标签: spring-security

我有这个安全等级:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication().withUser("user").password("{noop}user").authorities("READ");
  }

  @Override
  public void configure(HttpSecurity http) throws Exception {
    http
    .csrf().disable()
    .authorizeRequests()
          .anyRequest().fullyAuthenticated()
      .and().httpBasic()
      .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
}

我的控制器方法是

@PostMapping
    @PreAuthorize("hasAnyAuthority('WRITE')")
    public ResponseEntity registerEmployee...

使用用户user可以阻止访问registerEmployee,但即使user没有WRITE权限,我仍然可以使用它,只有READ

0 个答案:

没有答案