这是我的Configuration类,用于注册用户和url匹配器。
package com.example.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password(passwordEncoder().encode("admin"))
.authorities("API_TEST1","API_TEST2")
.roles("ADMIN")
.and().withUser("test")
.password(passwordEncoder().encode("test1234"))
.authorities("API_TEST1")
.roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/api/test1").hasAuthority("API_TEST1")
.antMatchers("/api/test2").hasAuthority("API_TEST2")
.and().httpBasic();
}
@Bean
public PasswordEncoder passwordEncoder()
{
return new BCryptPasswordEncoder();
}
}
由于某些原因,角色和权限无法一起使用,当我禁用其中之一时,它们就会起作用:
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password(passwordEncoder().encode("admin"))
.authorities("API_TEST1","API_TEST2")
.roles("ADMIN")
.and().withUser("test")
.password(passwordEncoder().encode("test1234"))
.authorities("API_TEST1")
.roles("USER");
}
当我使用admin登录时,可以进入/ admin部分,但是输入api(api / test1或api / test2)会给我一个403错误,而我应该能够同时输入两者。