Java Springboot安全性已忽略角色
我正试图保护我的spring boot应用程序(1.21)的一些URLProtent 看起来像我的蚂蚁匹配器(“/report**”)。忽略了角色(“report”)。 我改变了我的蚂蚁配对器的顺序,但这并没有改变什么 e、 g.如果我浏览像localhost:9000/report/books这样的内容,我需要登录,并且它只与我的用户名密码组合一起工作,但我没有将角色report设置为我的用户“user”。所以我希望我不被允许访问报告站点,但是页面会显示出来 我必须如何更改只有具有角色报告的用户才能访问该url EDIT1更新的源文件 Application.javaJava Springboot安全性已忽略角色,java,spring-security,spring-boot,Java,Spring Security,Spring Boot,我正试图保护我的spring boot应用程序(1.21)的一些URLProtent 看起来像我的蚂蚁匹配器(“/report**”)。忽略了角色(“report”)。 我改变了我的蚂蚁配对器的顺序,但这并没有改变什么 e、 g.如果我浏览像localhost:9000/report/books这样的内容,我需要登录,并且它只与我的用户名密码组合一起工作,但我没有将角色report设置为我的用户“user”。所以我希望我不被允许访问报告站点,但是页面会显示出来 我必须如何更改只有具有角色报告的用
@SpringBootApplication
@EnableTransactionManagement
public class Application {
public static void main(String[] args) {
@SuppressWarnings("unused")
ApplicationContext ctx = SpringApplication.run(Application.class, args);
}
}
@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
}
@Bean
public EmbeddedServletContainerCustomizer containerCustomizer(){
return new MyCustomizer();
}
private static class MyCustomizer implements EmbeddedServletContainerCustomizer {
@Override
public void customize(ConfigurableEmbeddedServletContainer factory) {
factory.addErrorPages(new ErrorPage(HttpStatus.NOT_FOUND, "/error/404"));
factory.addErrorPages(new ErrorPage(Exception.class, "/error/exception"));
}
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/error/**").addResourceLocations("classpath:/static/");
registry.addResourceHandler("/static/**").addResourceLocations("classpath:/static/");
registry.addResourceHandler("/css/**").addResourceLocations("classpath:/static/css/");
registry.addResourceHandler("/images/**").addResourceLocations("classpath:/static/images/");
registry.addResourceHandler("/js/**").addResourceLocations("classpath:/static/js/");
}
}
@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().enableSessionUrlRewriting(false);
http
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/report**").hasRole("REPORT")
.anyRequest().fullyAuthenticated();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("user").roles("USER").and()
.withUser("admin").password("admin").roles("ADMIN");
}
}
@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
}
@Bean
public EmbeddedServletContainerCustomizer containerCustomizer(){
return new MyCustomizer();
}
private static class MyCustomizer implements EmbeddedServletContainerCustomizer {
@Override
public void customize(ConfigurableEmbeddedServletContainer factory) {
factory.addErrorPages(new ErrorPage(HttpStatus.NOT_FOUND, "/error/404"));
factory.addErrorPages(new ErrorPage(Exception.class, "/error/exception"));
}
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/error/**").addResourceLocations("classpath:/static/");
registry.addResourceHandler("/static/**").addResourceLocations("classpath:/static/");
registry.addResourceHandler("/css/**").addResourceLocations("classpath:/static/css/");
registry.addResourceHandler("/images/**").addResourceLocations("classpath:/static/images/");
registry.addResourceHandler("/js/**").addResourceLocations("classpath:/static/js/");
}
}
@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().enableSessionUrlRewriting(false);
http
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/report**").hasRole("REPORT")
.anyRequest().fullyAuthenticated();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("user").roles("USER").and()
.withUser("admin").password("admin").roles("ADMIN");
}
}
我需要更改以下内容:
@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().enableSessionUrlRewriting(false);
http
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/report/**").hasRole("REPORT")
.anyRequest().fullyAuthenticated()
.and().exceptionHandling().accessDeniedPage("/error/403");
}
@Override
@Order(Ordered.HIGHEST_PRECEDENCE)
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("user").roles("USER").and()
.withUser("admin").password("admin").roles("ADMIN","REPORT");
}
}
您是否使用过@EnableWebMvcSecurity@EnableGlobalMethodSecurity(prespenabled=true)和.fullyAuthenticated()?你的整个配置是什么?我添加了我所有的文件,并碰巧验证为fullyauthenticated,但我仍然能够访问该页面。你是否尝试拆分路径,如/main(允许全部)和/report(仅允许报告)?我添加了@PreAuthorize(“hasRole('ROLE_ADMIN'))在我的控制器中创建@RequestMapping方法,它部分实现了我想要的功能。我认为缺少的是:。和()。异常处理().accessDeniedPage(“/403”)以及可能的AccessDeniedHander您是否尝试了以前的配置,但只修改了报告的antMatcher?在我的情况下,这些都没有帮助:/