1. 首頁
  2. 問答
  3. 授權角色Spring引導Oauth2〜Restful API

授權角色Spring引導Oauth2〜Restful API

2016-02-04 108 views
0

我需要幫助解決此問題... 我無法在我的安全配置文件中保護我的控制器。但我可以用授權角色Spring引導Oauth2〜Restful API

@PreAuthorize("hasAuthority('ROLE_ADMIN')")

做,在我的控制,但是這實在是煩人,我想從我的安全的conf做到這一點。文件

這是我WebSecurityconfigurerAdapter:

@Configuration 
//@EnableWebMvcSecurity 
@EnableGlobalMethodSecurity(prePostEnabled = false) 
//@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) 
//@EnableWebSecurity 
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { 

    @Autowired 
    CustomAuthenticationProvider customAuthenticationProvider; 

    @Autowired 
    CustomUserDetailsService cuds; 

    @Override 
    protected void configure(AuthenticationManagerBuilder auth) throws Exception { 
     auth 
       .userDetailsService(cuds) 
       .passwordEncoder(passwordEncoder()) 
       .and() 
       .authenticationProvider(customAuthenticationProvider); 
    } 

    @Bean 
    public BCryptPasswordEncoder passwordEncoder() { 
     return new BCryptPasswordEncoder(); 
    } 

    @Override 
    @Bean 
    public AuthenticationManager authenticationManagerBean() throws Exception { 
     return super.authenticationManagerBean(); 
    } 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http 
       .authorizeRequests() 
       .antMatchers("/**").authenticated() 
       .antMatchers("/test").authenticated() 
       .antMatchers("/usuarios/**").hasRole("ADMIN"); 
    } 
}

,這是我Oauth2Configuration:

@Configuration 
public class Oauth2Configuration { 

    private static final String RESOURCE_ID = "restservice"; 

    @Configuration 
    @EnableResourceServer 
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter { 

     @Autowired 
     private CustomLogoutSuccessHandler customLogoutSuccessHandler; 

     @Override 
     public void configure(ResourceServerSecurityConfigurer resources) { 
      resources 
        .resourceId(RESOURCE_ID); 
     } 

     @Override 
     public void configure(HttpSecurity http) throws Exception { 
      http 
        // Logout 
        .logout() 
        .logoutUrl("/oauth/logout") 
        .logoutSuccessHandler(customLogoutSuccessHandler) 
        .and() 
        //Session management 
        .sessionManagement() 
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS) 
        .and() 
        //URI's to verify 
        .authorizeRequests() 
        .antMatchers("/oauth/logout").permitAll() 
        .antMatchers("/**").authenticated() 
        .antMatchers("/usuarios/**").hasRole("ADMIN"); 
     } 
    }

我試圖使用權限和角色,但是沒有什麼工作。一些想法我做錯了什麼?

來源

2016-02-04 Paulo Galdo Sandoval

+0

也許是訂購的問題?如果你把 '.antMatchers(「/ usuarios/**」)。hasRole(「ADMIN」)' 之前 '.antMatchers(「/ **」)。authenticated()' –

+0

男人,我愛你! !哈哈,是這個命令的問題 –

回答

0

好感謝Yannic克萊姆我得到了答案,用的順序有問題

首先我WebSecurityConfigurerAdapter我設置的「USUARIOS」

@Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http 
       .authorizeRequests() 
       .antMatchers("/usuarios").authenticated(); 
    }

後,在我的Oauth2Configuration設置我驗證我的授權與我的羅。

@Override 
    public void configure(HttpSecurity http) throws Exception { 
     http 
       // Logout 
       .logout() 
       .logoutUrl("/oauth/logout") 
       .logoutSuccessHandler(customLogoutSuccessHandler) 
       .and() 
       //Session management 
       .sessionManagement() 
       .sessionCreationPolicy(SessionCreationPolicy.STATELESS) 
       .and() 
       //URI's to verify 
       .authorizeRequests() 
       .antMatchers("/oauth/logout").permitAll()      
       .antMatchers("/usuarios/**").hasRole("ADMIN"); 
    }

現在所有的作品都很好。謝謝你們!

來源

2016-02-04 09:59:56

相關問題

 相關問題