Warning: file_get_contents(/data/phpspider/zhask/data//catemap/2/spring/11.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
SpringWebFlux-如何保护RESTful私有资源?_Spring_Spring Security_Spring Webflux - Fatal编程技术网
Fatal编程技术网
  • spring/
  • SpringWebFlux-如何保护RESTful私有资源?

SpringWebFlux-如何保护RESTful私有资源?

spring spring-security

SpringWebFlux-如何保护RESTful私有资源?,spring,spring-security,spring-webflux,Spring,Spring Security,Spring Webflux,嗨,我有一个springboot webflux应用程序,具有springboot安全性。我使用基本身份验证进行身份验证。我有一个端点,它提供私有资源/users/{userId}/notifications,我希望确保只有经过身份验证的用户才能访问特定的私有资源 例如,我作为id为3的用户进行身份验证 我可以访问:/users/3/通知 我无法访问:/users/1/通知 这是我使用@PreAuthorize的示例代码,但它根本不起作用 @PostMapping("/users/{us

嗨,我有一个springboot webflux应用程序,具有springboot安全性。我使用基本身份验证进行身份验证。我有一个端点,它提供私有资源
/users/{userId}/notifications
,我希望确保只有经过身份验证的用户才能访问特定的私有资源

例如,我作为id为3的用户进行身份验证

我可以访问:
/users/3/通知

我无法访问:
/users/1/通知

这是我使用@PreAuthorize的示例代码,但它根本不起作用

    @PostMapping("/users/{userId}/notifications")
    // @Secured(value = ["userid"]) - also doesn't work
    @PreAuthorize("#userId == principal.id")
    fun addEmailNotification(@RequestBody emailNotificationCreationForm: @Valid EmailNotificationCreationForm): Mono<ResponseEntity<EmailNotificationCreationResponse>> {
//        log.info("Adding email notification {}", emailNotificationCreationForm)
        return Mono
                .just(emailNotificationCreationForm)
                .doOnNext { println(it) }
                .flatMap { Mono.just(EmailNotificationSetting("aa","bb")) }
                .map { EmailNotificationCreationResponse(true, 201, it) }
                .map { ResponseEntityUtils.toResponseEntity(it, HttpStatus.CREATED) }
    }
如果用户1和用户3是不同的用户,您只需访问/users/notifications,然后在您的方法中检查发出请求的当前登录用户是谁,并获取特定的人员通知。是的,我知道我可以这样做,但我不想这样做。我需要一个像/users/{id}/notificationsimho这样的端点,这是一个坏习惯,祝你好运!看起来您缺少作为控制器参数的
@PathVariable字符串userId
@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
internal open class SecurityConfig(private val userService: UserService) {

    companion object {
        private val AUTH_WHITELIST = arrayOf("/actuator/**", "/v2/api-docs", "/swagger-resources", "/swagger-resources/**", "/configuration/ui", "/configuration/security", "/swagger-ui.html", "/webjars/**")
    }

    @Bean
    open fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
        return http
                .csrf().disable()
                .authorizeExchange()
                .pathMatchers(HttpMethod.POST, REGISTRATION_REQUESTS_ENDPOINT).permitAll()
                .pathMatchers(HttpMethod.POST, AUTH_ENDPOINT).permitAll()
                .pathMatchers(*AUTH_WHITELIST).permitAll()
                .pathMatchers(HttpMethod.POST, Endpoints.forSecurity(REGISTRATION_REQUEST_CONFIRMATIONS_ENDPOINT)).permitAll()
                .pathMatchers(HttpMethod.GET, Endpoints.forSecurity(REGISTRATION_REQUEST_CONFIRMATION_ENDPOINT)).permitAll()
                .anyExchange().authenticated()
                .and()
                .httpBasic()
                .and()
                .formLogin().disable()
                .build()
    }