春季`@ RolesAllowed`是否被忽略?

时间:2019-05-09 16:34:14

标签: java spring-boot kotlin spring-security vaadin

好吧,所以我有一个Vaadin应用程序(出于传统原因,使用Vaadin 8),我正在与Spring Security集成。

这非常正常,非管理员用户的访问被拒绝:

@Secured("ROLE_ADMIN")
@SpringView(name = AdminHomeView.NAME)
class AdminHomeView : View, VerticalLayout(){
    companion object {
        const val NAME = "admin/home"
    }

    @PostConstruct
    internal fun init(){
        val label = Label()
        label.id = "label.msg"
        label.value = "This is the protected admin section. You are authenticated and authorized."

        this.addComponents(
                label
        )
    }
}

但是如果我将@Secured替换为@RolesAllowed,则注释将被忽略,并且非管理员用户可以访问该视图。

这是我的配置:

@Configuration
@EnableWebSecurity
@EnableVaadin
@EnableVaadinSharedSecurity
@EnableGlobalMethodSecurity(
        securedEnabled = true,
        prePostEnabled = true, 
        jsr250Enabled = true,
        proxyTargetClass = true
)
class VaadinAwareSecurityConfiguration : WebSecurityConfigurerAdapter {

    private val userDetailsService: UserDetailsService

    @Inject
    constructor(userDetailsService: UserDetailsService) : super() {
        this.userDetailsService = userDetailsService
    }


    override fun configure(http: HttpSecurity) {
        http
            .csrf().disable() //vaadin has its own csrf protection, therefore this must be disabled
            .httpBasic().disable()
            .formLogin().disable()
            .authorizeRequests()
                .antMatchers("/login").anonymous()
                .antMatchers("/vaadinServlet/UIDL/**").permitAll()
                .antMatchers("/vaadinServlet/HEARTBEAT/**").permitAll()
                .anyRequest().authenticated()
                .and()
            .logout()
                .addLogoutHandler(logoutHandler())
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login?goodbye").permitAll()
                .and()
            .exceptionHandling()
                .authenticationEntryPoint(LoginUrlAuthenticationEntryPoint("/login"))
    }

    override fun configure(web: WebSecurity) {
        web
            .ignoring().antMatchers(
                "/VAADIN/**"
            )
    }

    override fun configure(auth: AuthenticationManagerBuilder) {

        auth
                .userDetailsService(userDetailsService)
                .passwordEncoder(passwordEncoder())
    }

    private fun logoutHandler():LogoutHandler{
        return VaadinSessionClosingLogoutHandler()
    }

    @Bean
    fun passwordEncoder(): PasswordEncoder {
        return BCryptPasswordEncoder(12)
    }

    @Bean
    fun myAuthenticationManager():AuthenticationManager{
        return super.authenticationManagerBean()
    }
}

我想念什么吗?

0 个答案:

没有答案