我正在从Spring Boot Security应用程序中使用PostgreSQL数据库设置JDBC身份验证。
我为用户和角色创建了下表,分别命名为“ users”和“ user_authorities”。
CREATE SEQUENCE users_id_seq
INCREMENT 1
START 1
MINVALUE 1
MAXVALUE 2147483647
CACHE 1;
CREATE TABLE users (
id integer NOT NULL DEFAULT nextval('users_id_seq'),
username VARCHAR ( 100 ) UNIQUE NOT NULL,
password VARCHAR ( 100 ) NOT NULL,
enabled boolean NOT NULL,
CONSTRAINT users_pkey PRIMARY KEY (id)
);
CREATE SEQUENCE user_authorities_id_seq
INCREMENT 1
START 1
MINVALUE 1
MAXVALUE 2147483647
CACHE 1;
CREATE TABLE user_authorities(
id integer NOT NULL DEFAULT nextval('user_authorities_id_seq'),
user_id integer NOT NULL,
authority varchar(100) not null,
CONSTRAINT user_authorities_pkey PRIMARY KEY (id)
);
然后插入如下数据:
-- create user: 'user'
INSERT INTO users(username,password,enabled)
VALUES('user','$2a$10$TfjwK4p4y2xn5f6RN78gwOz0Le.cMGuhNaz51WDjChGCDF9Z0yqci',true);
-- create user: 'admin'
INSERT INTO users(username,password,enabled)
VALUES('admin','$2a$10$lbZgb/zt4jBoPjqF.RfsOOOKyKJMOZjFS8QMyO.5p7Ob/jzf7ASPC',true);
-- create role: 'USER' for the user: 'user'
INSERT INTO users_authorities(user_id,authority) VALUES((select u.id from users u where u.username =
'user'),'USER');
-- create role: 'ADMIN' for the user: 'admin'
INSERT INTO user_authorities(user_id,authority) VALUES((select u.id from users u where u.username =
'admin'),'ADMIN');
Spring Boot应用程序端,我具有安全性配置:
package com.mi.rest.webservices.restfulwebservices.security;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import
org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{
@Autowired
DataSource dataSource;
@Autowired
BCryptPasswordEncoder bCryptEncoder;
private static final String GET_USERS_SQL = "SELECT username, password, enabled from users where
username = ?";
private static final String GET_USER_AUTHORITIES_SQL = "SELECT u.username, a.authority FROM
user_authorities a, users u WHERE u.username = ? AND u.id = a.user_id";
/**
* Specify authentication scheme:
*
* 1. In memory
* 2. JDBC
* 3. LDAP
*
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
/**
auth.inMemoryAuthentication()
.withUser("user").password("$2a$10$TfjwK4p4y2xn5f6RN78gwOz0Le.cMGuhNaz51WDjChGCDF9Z0yqci")
.roles("USER")
.and()
.withUser("admin")
.password("$2a$10$lbZgb/zt4jBoPjqF.RfsOOOKyKJMOZjFS8QMyO.5p7Ob/jzf7ASPC")
.roles("ADMIN");
*/
auth
.jdbcAuthentication()
.usersByUsernameQuery(GET_USERS_SQL)
.authoritiesByUsernameQuery(GET_USER_AUTHORITIES_SQL)
.dataSource(dataSource)
.passwordEncoder(bCryptEncoder);
}
//Authorization:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
//HTTP Basic authentication
.httpBasic()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/todo-app/userOnly").hasRole("USER")
.antMatchers(HttpMethod.GET, "/todo-app/todos/**").hasRole("USER")
.antMatchers(HttpMethod.GET, "/todo-app/adminOnly").hasRole("ADMIN")
.antMatchers(HttpMethod.OPTIONS,"/**").permitAll()
//.and()
//.csrf().disable()
;
}
}
现在为了测试我的设置,我有一个带有以下端点的RestController:
package com.mi.rest.webservices.restfulwebservices.controllers;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.web.bind.annotation.CrossOrigin;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/todo-app")
@CrossOrigin(origins = "http://localhost:4200")
public class TodoController {
@GetMapping("/userOnly")
public TodoItem getForUserOnly() {
TodoItem todo9 = new TodoItem();
todo9.setId(9);
todo9.setDescription("USER role item");
todo9.setDone(false);
todo9.setTargetDate(new Date());
todo9.setUser("user");
return todo9;
}
@GetMapping("/adminOnly")
public TodoItem getForAdminOnly() {
TodoItem todo9 = new TodoItem();
todo9.setId(9);
todo9.setDescription("ADMIN role item");
todo9.setDone(false);
todo9.setTargetDate(new Date());
todo9.setUser("admin");
return todo9;
}
}
使用Postman进行测试时,我一直禁止所有测试(使用用户和管理员授权的端点)禁止403。
此图片缺少什么?任何提示和建议都将受到高度赞赏。
答案 0 :(得分:0)
不要以为我将 "ROLE" 附加到每个权限。 Spring 期望当局有一个前缀 "ROLE...." 。
参考 - Spring doc
编辑 users_authorities
表的插入内容
-- create role: 'USER' for the user: 'user'
INSERT INTO users_authorities(user_id,authority) VALUES((select u.id from users u where u.username =
'user'),'ROLE_USER');
-- create role: 'ADMIN' for the user: 'admin'
INSERT INTO user_authorities(user_id,authority) VALUES((select u.id from users u where u.username =
'admin'),'ROLE_ADMIN');