Kotlin 使用@Preauthorize注释保护控制器不会';行不通
我正在尝试使用Spring安全性保护端点。但代码似乎不起作用。我不知道我会错在哪里 我的安全课Kotlin 使用@Preauthorize注释保护控制器不会';行不通,kotlin,spring-security,Kotlin,Spring Security,我正在尝试使用Spring安全性保护端点。但代码似乎不起作用。我不知道我会错在哪里 我的安全课 @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true,proxyTargetClass = true) open class WebSecurity : WebSecurityConfigurerAdapter() { @Throws(Exception::class) override fun con
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true,proxyTargetClass = true)
open class WebSecurity : WebSecurityConfigurerAdapter() {
@Throws(Exception::class)
override fun configure(http: HttpSecurity) {
http.httpBasic()
.and()
.cors().and()
.csrf().disable().authorizeRequests()
.antMatchers("/authorize/users/*").permitAll()
.anyRequest().authenticated().hasRole("MANAGER")
.and()
.formLogin()
}
@Bean
public override fun userDetailsService(): UserDetailsService {
//User Role
val theUser = User.withUsername("sergey")
.passwordEncoder { charSequence: String? -> PasswordEncoderFactories.createDelegatingPasswordEncoder().encode(charSequence) }
.password("12345678").roles("USER").build()
//Manager Role
val theManager = User.withUsername("john")
.password("87654321").roles("MANAGER").build()
val userDetailsManager = InMemoryUserDetailsManager()
userDetailsManager.createUser(theUser)
userDetailsManager.createUser(theManager)
return userDetailsManager
}
}
控制器
@RestController
@RequestMapping("/authorize")
open class AuthController {
@PreAuthorize("hasRole('MANAGER')")
@PostMapping("/users/add")
fun createUsers(@RequestHeader("Authorization") token: String,
@RequestBody users: UserDTO) : ResponseEntity<Any> {
lateinit var message: String
try {
val response = authService.insert(users, token)
}
catch (exception: RuntimeException) {
return ResponseEntity(exception.message, HttpStatus.INTERNAL_SERVER_ERROR)
}
}
}
@RestController
@请求映射(“/authorize”)
开放类AuthController{
@预授权(“hasRole('MANAGER')”)
@后期映射(“/users/add”)
fun createUsers(@RequestHeader(“授权”)令牌:字符串,
@RequestBody用户:UserDTO):ResponseEntity与未识别或不存在的凭据关联
我认为问题在于:
val theManager=User.withUsername(“john”)
.password(“87654321”).roles(“MANAGER”).build()
如果没有编码前缀,Spring Security在执行密码比较时可能会出错
相反,你应该这样做
val theManager=User.withUsername(“john”)
.password(“{noop}87654321”).roles(“MANAGER”).build()
告诉Spring Security此密码未被删除
调试提示
如果这不能修复问题,请考虑将<>代码> ANDMatter(“/Orror”).PyMeMalor()/代码>添加到您的授权请求列表中,并可能将堆栈简化为:
.authorizeRequests()
.antMatchers(“/error”).permitAll()
.anyRequest().authenticated()
这不会修复它,但是打开/error
端点可能会为您提供额外的调试信息