好吧,所以我有一个Vaadin应用程序(出于传统原因,使用Vaadin 8),我正在与Spring Security集成。
这非常正常,非管理员用户的访问被拒绝:
@Secured("ROLE_ADMIN")
@SpringView(name = AdminHomeView.NAME)
class AdminHomeView : View, VerticalLayout(){
companion object {
const val NAME = "admin/home"
}
@PostConstruct
internal fun init(){
val label = Label()
label.id = "label.msg"
label.value = "This is the protected admin section. You are authenticated and authorized."
this.addComponents(
label
)
}
}
但是如果我将@Secured
替换为@RolesAllowed
,则注释将被忽略,并且非管理员用户可以访问该视图。
这是我的配置:
@Configuration
@EnableWebSecurity
@EnableVaadin
@EnableVaadinSharedSecurity
@EnableGlobalMethodSecurity(
securedEnabled = true,
prePostEnabled = true,
jsr250Enabled = true,
proxyTargetClass = true
)
class VaadinAwareSecurityConfiguration : WebSecurityConfigurerAdapter {
private val userDetailsService: UserDetailsService
@Inject
constructor(userDetailsService: UserDetailsService) : super() {
this.userDetailsService = userDetailsService
}
override fun configure(http: HttpSecurity) {
http
.csrf().disable() //vaadin has its own csrf protection, therefore this must be disabled
.httpBasic().disable()
.formLogin().disable()
.authorizeRequests()
.antMatchers("/login").anonymous()
.antMatchers("/vaadinServlet/UIDL/**").permitAll()
.antMatchers("/vaadinServlet/HEARTBEAT/**").permitAll()
.anyRequest().authenticated()
.and()
.logout()
.addLogoutHandler(logoutHandler())
.logoutUrl("/logout")
.logoutSuccessUrl("/login?goodbye").permitAll()
.and()
.exceptionHandling()
.authenticationEntryPoint(LoginUrlAuthenticationEntryPoint("/login"))
}
override fun configure(web: WebSecurity) {
web
.ignoring().antMatchers(
"/VAADIN/**"
)
}
override fun configure(auth: AuthenticationManagerBuilder) {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder())
}
private fun logoutHandler():LogoutHandler{
return VaadinSessionClosingLogoutHandler()
}
@Bean
fun passwordEncoder(): PasswordEncoder {
return BCryptPasswordEncoder(12)
}
@Bean
fun myAuthenticationManager():AuthenticationManager{
return super.authenticationManagerBean()
}
}
我想念什么吗?