1. 首頁
  2. 問答
  3. 使用@PreAuthorize的錯誤

使用@PreAuthorize的錯誤

2016-09-01 50 views
0

我正在開發Spring Boot應用程序,我試圖使用@PreAuthorize批註來過濾對用戶資源的訪問,以便用戶只能訪問他自己的資源。這裏是我的UserRepository:使用@PreAuthorize的錯誤

@Repository 
@RepositoryRestResource 
public interface MyUserRepository extends PagingAndSortingRepository<MyUser, UUID> { 
    @Override 
    @PreAuthorize("principal.getId().equals(#uuid)") 
    MyUser findOne(UUID uuid); 

    MyUser findByUsername(@Param("username") String username); 

    MyUser findByEmail(@Param("email") String email); 

}

您可以看到堆棧跟蹤here

某處在堆棧跟蹤引用類WebSecurityConfig線42這是下面的類的方法configureAuthentication:

@Configuration 
@EnableWebSecurity 
@EnableGlobalMethodSecurity(prePostEnabled = true) 
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 

    @Autowired 
    private RestAuthenticationEntryPoint unauthorizedHandler; 

    @Autowired 
    private BasicUserDetailsService userDetailsService; 

    @Bean 
    public PasswordEncoder passwordEncoder() { 
     return new BCryptPasswordEncoder(); 
    } 

    @Autowired 
    public void configureAuthentication(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception { 
     authenticationManagerBuilder 
       .userDetailsService(this.userDetailsService) 
       .passwordEncoder(passwordEncoder()); 
    } 

    @Bean 
    @Override 
    public AuthenticationManager authenticationManagerBean() throws Exception { 
     return super.authenticationManagerBean(); 
    } 

    @Bean 
    public JwtAuthenticationTokenFilter authenticationTokenFilterBean() throws Exception { 
     JwtAuthenticationTokenFilter authenticationTokenFilter = new JwtAuthenticationTokenFilter(); 
     authenticationTokenFilter.setAuthenticationManager(authenticationManagerBean()); 
     return authenticationTokenFilter; 
    } 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http 

      // we don't need CSRF because our token is invulnerable 
      .csrf().disable() 

      .exceptionHandling() 
       .authenticationEntryPoint(unauthorizedHandler) 
       .and() 

      // don't create session 
      .sessionManagement() 
       .sessionCreationPolicy(SessionCreationPolicy.STATELESS) 
       .and() 

      .authorizeRequests() 
       .antMatchers(HttpMethod.POST, "/login").permitAll() 
       .antMatchers(HttpMethod.POST, "/myUsers").permitAll() 
       .antMatchers(HttpMethod.PUT).authenticated() 
       .antMatchers(HttpMethod.POST).authenticated() 
       .antMatchers(HttpMethod.DELETE).authenticated() 
       .antMatchers(HttpMethod.PATCH).authenticated() 
       .anyRequest().permitAll(); 

     // Custom JWT based security filter 
     http.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class); 

     http.addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class); 

    } 
}

謝謝!

來源

2016-09-01 bergacat1

+0

您沒有MyUserRepository的實現? – jlumietu

+0

當然,你可以在代碼的第一個片段中看到它, – bergacat1

+0

這是一個推論,不是嗎? – jlumietu

回答

0

更新到Spring引導1.4已經解決了這個問題。

來源

2016-09-28 09:58:34 bergacat1

相關問題

 相關問題