1. 首頁
  2. 問答
  3. 彈簧安全 - 基於角色的訪問

彈簧安全 - 基於角色的訪問

2017-05-19 82 views
-1

我已經爲我的webapp實現了彈簧安全。彈簧安全 - 基於角色的訪問

我想配置基於角色的訪問。只有具有角色「ROLE_ADMIN」的用戶才能登錄。

我添加了模型「角色」,並在我的數據庫中添加了一個表。 但是具有「ROLE_USER」角色的用戶仍然可以登錄。

@Override 
protected void configure(HttpSecurity http) { 
    try { 
     http.csrf().disable() 
       .authorizeRequests() 
       .antMatchers("/resources/**").hasRole("ROLE_ADMIN") 
       .anyRequest().authenticated() 
       .and() 
       .formLogin() 
       .loginPage("/login") 
       .permitAll() 
       .and() 
       .logout() 
       .permitAll(); 
    } catch (Exception e) { 
     e.printStackTrace(); 
    } 

}

謝謝!

編輯:完整的春天安全配置

@Configuration 
@EnableWebSecurity 
@ComponentScan(basePackageClasses = UserDetailsServiceImpl.class) 
@EnableGlobalMethodSecurity(prePostEnabled = true) 
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 

@Autowired 
private UserDetailsService userDetailsService; 

@Bean 
public BCryptPasswordEncoder bCryptPasswordEncoder() { 
    return new BCryptPasswordEncoder(); 
} 

@Override 
public void configure(WebSecurity web) { 
    web.ignoring().antMatchers("/css/**", "/js/**"); 
} 

@Override 
protected void configure(HttpSecurity http) { 
    try { 
     http.csrf().disable() 
       .authorizeRequests() 
       .antMatchers("/resources/**").hasRole("ADMIN") 
       .anyRequest().authenticated() 
       .and() 
       .formLogin() 
       .loginPage("/login") 
       .permitAll() 
       .and() 
       .logout() 
       .permitAll(); 
    } catch (Exception e) { 
     e.printStackTrace(); 
    } 

} 

@Bean 
public DaoAuthenticationProvider authenticationProvider() { 
    DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider(); 
    authProvider.setUserDetailsService(userDetailsService); 
    authProvider.setPasswordEncoder(bCryptPasswordEncoder()); 
    return authProvider; 
} 

@Autowired 
public void globalSecurityConfiguration(AuthenticationManagerBuilder auth) { 
    try { 
     auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder()); 
    } catch (Exception e) { 
     e.printStackTrace(); 
    } 
} 

}

來源

2017-05-19 cmplx96

回答

1

你擴展WebMvcConfigurerAdapter?此外hasRole將前綴提供的字符串以 「ROLE_」

從DOC:

角色要求(即,用戶,管理員等)。請注意,它不應以「ROLE_」開頭,因爲它會自動插入。

例如:

@SpringBootApplication 
public class SampleWebSecureJdbcApplication extends WebMvcConfigurerAdapter { 

    public static void main(String[] args) throws Exception { 
     new SpringApplicationBuilder(SampleWebSecureJdbcApplication.class).run(args); 
    } 

    @Configuration 
    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) 
    protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter { 

     @Autowired 
     private DataSource dataSource; 

     @Override 
     protected void configure(HttpSecurity http) throws Exception { 
       http 
        .authorizeRequests()  
        .antMatchers("/resources/**", "/signup", "/about").permitAll()  
        .antMatchers("/admin/**").hasRole("ADMIN") 
        .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") 
        .anyRequest().authenticated()  
        .and() 
        .formLogin().loginPage("/login").failureUrl("/login?error").permitAll() 
        .and() 
        .logout().permitAll(); 
     } 

     @Override 
     public void configure(AuthenticationManagerBuilder auth) throws Exception { 
      auth.jdbcAuthentication().dataSource(this.dataSource); 
     } 

    } 

}

來源

2017-05-19 10:46:39

相關問題

 相關問題