@PreAuthorize isAnonymous 在 Spring 启动时不起作用
@PreAuthorize isAnonymous doesn't work on Spring Boot
@PreAuthorize 与 isAnonymous() 似乎不适用于 Spring(实际上,Spring 引导)。
这是我的代码:
@RestController
@RequiredArgsConstructor
public class ValidateCodeController {
private final @NonNull ValidateCodeProcessorHolder validateCodeProcessorHolder;
// @PreAuthorize("permitAll()")
@PreAuthorize("isAnonymous()")
@GetMapping(SecurityConstants.VALIDATE_CODE_URL_PREFIX + "/{type}")
public void creatCode(HttpServletRequest request, HttpServletResponse response,
@PathVariable String type) throws Exception {
validateCodeProcessorHolder.findValidateCodeProcessor(type)
.create(new ServletWebRequest(request, response));
}
@PreAuthorize("hasRole('ROLE_ADMIN')")
@GetMapping("/test")
public HttpEntity<?> resource() {
return ResponseEntity.ok(123);
}
}
但我收到 HTTP 403 禁止响应:
{
"timestamp": "2019-08-02T08:36:50.859+0000",
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/code/email"
}
和/test
{
"timestamp": "2019-08-02T08:36:48.202+0000",
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/test"
}
在我的配置文件中。
@EnableWebSecurity
@RequiredArgsConstructor
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
// If use this, it can work.
// .antMatchers("/code/*").permitAll()
.anyRequest()
.authenticated()
.and()
.csrf()
.disable();
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
我希望得到资源。
使用
@PreAuthorize("hasRole('ADMIN')")
或
@PreAuthorize("hasAuthority('ROLE_ADMIN')")
我们不能将 isAnonymous()、permitAll() 与 @PreAuthorize 一起使用。这些可以用在configure(HttpSecurity http)
正确的方法是使用ROLE_NAME
@PreAuthorize("hasRole('ADMIN')")
@PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')")
我们也可以在 configure(HttpSecurity http) 中实现,如下所示
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/login","/logout").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers(HttpMethod.GET,"/user/**").hasAnyRole("ADMIN","USER")
.antMatchers(HttpMethod.POST,"/user/**").hasAnyRole("ADMIN","USER")
.anyRequest().authenticated();
在您的 WebSecurityConfig class 中您有以下定义:
...
.anyRequest()
.authenticated()
...
你是说 Spring 查询所有请求都必须经过身份验证。然后,您的注释 @PreAuthorize("isAnonymous()") 将始终为 false 并且 return 一个 403 http 代码。
访问以下link以查看更多信息:https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
@PreAuthorize 与 isAnonymous() 似乎不适用于 Spring(实际上,Spring 引导)。
这是我的代码:
@RestController
@RequiredArgsConstructor
public class ValidateCodeController {
private final @NonNull ValidateCodeProcessorHolder validateCodeProcessorHolder;
// @PreAuthorize("permitAll()")
@PreAuthorize("isAnonymous()")
@GetMapping(SecurityConstants.VALIDATE_CODE_URL_PREFIX + "/{type}")
public void creatCode(HttpServletRequest request, HttpServletResponse response,
@PathVariable String type) throws Exception {
validateCodeProcessorHolder.findValidateCodeProcessor(type)
.create(new ServletWebRequest(request, response));
}
@PreAuthorize("hasRole('ROLE_ADMIN')")
@GetMapping("/test")
public HttpEntity<?> resource() {
return ResponseEntity.ok(123);
}
}
但我收到 HTTP 403 禁止响应:
{
"timestamp": "2019-08-02T08:36:50.859+0000",
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/code/email"
}
和/test
{
"timestamp": "2019-08-02T08:36:48.202+0000",
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/test"
}
在我的配置文件中。
@EnableWebSecurity
@RequiredArgsConstructor
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
// If use this, it can work.
// .antMatchers("/code/*").permitAll()
.anyRequest()
.authenticated()
.and()
.csrf()
.disable();
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
我希望得到资源。
使用
@PreAuthorize("hasRole('ADMIN')")
或
@PreAuthorize("hasAuthority('ROLE_ADMIN')")
我们不能将 isAnonymous()、permitAll() 与 @PreAuthorize 一起使用。这些可以用在configure(HttpSecurity http)
正确的方法是使用ROLE_NAME
@PreAuthorize("hasRole('ADMIN')")
@PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')")
我们也可以在 configure(HttpSecurity http) 中实现,如下所示
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/login","/logout").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers(HttpMethod.GET,"/user/**").hasAnyRole("ADMIN","USER")
.antMatchers(HttpMethod.POST,"/user/**").hasAnyRole("ADMIN","USER")
.anyRequest().authenticated();
在您的 WebSecurityConfig class 中您有以下定义:
...
.anyRequest()
.authenticated()
...
你是说 Spring 查询所有请求都必须经过身份验证。然后,您的注释 @PreAuthorize("isAnonymous()") 将始终为 false 并且 return 一个 403 http 代码。
访问以下link以查看更多信息:https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html