Spring 安全性只允许访问自己的资源
Spring Security permitting access only to own ressources
我正在尝试将 api 访问限制为仅对自己的资源进行访问。遗憾的是它不起作用。
目前我可以在 'users/{userid}' 访问每个用户数据。所以如果我的userid是10,我也可以通过替换userid来访问11的数据。
SecurityConig.java
@SuppressWarnings("SpringJavaAutowiringInspection")
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;
@Autowired
private JwtAuthenticationProvider jwtAuthenticationProvider;
@Autowired
public void configureAuthentication(AuthenticationManagerBuilder authenticationManagerBuilder) {
authenticationManagerBuilder.authenticationProvider(jwtAuthenticationProvider);
}
@Bean
public JwtAuthenticationTokenFilter authenticationTokenFilterBean() {
return new JwtAuthenticationTokenFilter();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.csrf().disable()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/users").permitAll()
.antMatchers("/user/{userid}/**")
.access("@userSecurity.hasUserId(authentication,#userid)")
.anyRequest().authenticated();
httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
httpSecurity.headers().cacheControl();
}
为了限制访问,我使用 Spring EL 表达式。 IntelliJ 告诉我“无法解析变量 'userid'
.antMatchers("/user/{userid}/**")
.access("@userSecurity.hasUserId(authentication,#userid)")
这是我的UserSecurity.java
public class UserSecurity {
private final JwtTokenService jwtService;
@SuppressWarnings("unused")
public UserSecurity() {
this(null);
}
public UserSecurity(JwtTokenService jwtService) {
this.jwtService = jwtService;
}
public boolean hasUserId(Authentication authentication, String userid) {
String token = (String) authentication.getCredentials();
String username = jwtService.getUsernameFromToken(token);
return username.equals(userid);
}
}
我还发现,如果我用字符串替换“#userid”,它就不起作用。它不进入方法,
发现我的错误。
这个
.antMatchers("/user/{userid}/**")
.access("@userSecurity.hasUserId(authentication,#userid)")
应该是这个
.antMatchers("/users/{userid}/**")
.access("@userSecurity.hasUserId(authentication,#userid)")
路径名有误。
我正在尝试将 api 访问限制为仅对自己的资源进行访问。遗憾的是它不起作用。 目前我可以在 'users/{userid}' 访问每个用户数据。所以如果我的userid是10,我也可以通过替换userid来访问11的数据。
SecurityConig.java
@SuppressWarnings("SpringJavaAutowiringInspection")
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;
@Autowired
private JwtAuthenticationProvider jwtAuthenticationProvider;
@Autowired
public void configureAuthentication(AuthenticationManagerBuilder authenticationManagerBuilder) {
authenticationManagerBuilder.authenticationProvider(jwtAuthenticationProvider);
}
@Bean
public JwtAuthenticationTokenFilter authenticationTokenFilterBean() {
return new JwtAuthenticationTokenFilter();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.csrf().disable()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/users").permitAll()
.antMatchers("/user/{userid}/**")
.access("@userSecurity.hasUserId(authentication,#userid)")
.anyRequest().authenticated();
httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
httpSecurity.headers().cacheControl();
}
为了限制访问,我使用 Spring EL 表达式。 IntelliJ 告诉我“无法解析变量 'userid'
.antMatchers("/user/{userid}/**")
.access("@userSecurity.hasUserId(authentication,#userid)")
这是我的UserSecurity.java
public class UserSecurity {
private final JwtTokenService jwtService;
@SuppressWarnings("unused")
public UserSecurity() {
this(null);
}
public UserSecurity(JwtTokenService jwtService) {
this.jwtService = jwtService;
}
public boolean hasUserId(Authentication authentication, String userid) {
String token = (String) authentication.getCredentials();
String username = jwtService.getUsernameFromToken(token);
return username.equals(userid);
}
}
我还发现,如果我用字符串替换“#userid”,它就不起作用。它不进入方法,
发现我的错误。
这个
.antMatchers("/user/{userid}/**")
.access("@userSecurity.hasUserId(authentication,#userid)")
应该是这个
.antMatchers("/users/{userid}/**")
.access("@userSecurity.hasUserId(authentication,#userid)")
路径名有误。