我对Spring Boot有问题。安全配置无法正常工作。
configure方法如下:
@Override
public void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.csrf()
.disable()
.authorizeRequests()
.antMatchers(ApplicationConstants.API_PREFIX + "/authenticate").permitAll()
.antMatchers(ApplicationConstants.API_PREFIX + "/register").permitAll()
.antMatchers(ApplicationConstants.API_PREFIX + "/activate").permitAll()
.antMatchers(ApplicationConstants.API_PREFIX + "/consentTypes").permitAll()
.antMatchers(ApplicationConstants.API_PREFIX + "/**").fullyAuthenticated()
.antMatchers(ApplicationConstants.API_PREFIX + "/onboard/**", "/user/me").hasAnyAuthority(ApplicationConstants.USER, ApplicationConstants.ADMIN, ApplicationConstants.SUPER_ADMIN)
.antMatchers(ApplicationConstants.API_PREFIX + "/consentType/**", "/consentType").hasAnyAuthority(ApplicationConstants.ADMIN, ApplicationConstants.SUPER_ADMIN)
.antMatchers(ApplicationConstants.API_PREFIX + "/register/admin").hasAnyAuthority(ApplicationConstants.ADMIN, ApplicationConstants.SUPER_ADMIN)
.antMatchers(ApplicationConstants.API_PREFIX + "/user/all").hasAnyAuthority(ApplicationConstants.ADMIN, ApplicationConstants.SUPER_ADMIN)
.antMatchers(ApplicationConstants.API_PREFIX + "/register/superAdmin").hasAuthority(ApplicationConstants.SUPER_ADMIN)
.and()
.addFilter(new JwtAuthorizationFilter(authenticationManager(), tokenProvider)).antMatcher("/**")
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
ApplicationConstants类如下所示:
public class ApplicationConstants {
public static final String API_PREFIX = "/api/v1";
public static final String SPRING_PROFILE_TEST = "test";
public static final String SPRING_PROFILE_DEV = "dev";
public static final String USER = "USER";
public static final String ADMIN = "ADMIN";
public static final String SUPER_ADMIN = "SUPER_ADMIN";
private ApplicationConstants() {
}
}
例如,此配置允许USER创建新的同意类型,它不应这样做,从而使所有用户(/user/all)不能接受该操作。< / p>
我尝试了一些事情,在权限常量前面加上了ROLE_,还尝试了antMatcher模式的许多组合,等等。我做错了什么?该安全性基于JWT,似乎可以正确提供角色名称。它自己添加了ROLE_前缀,因此我从常量中删除了该前缀,什么也没有。