1. 首页
  2. 问答
  3. 弹簧安全 - 基于角色的访问

弹簧安全 - 基于角色的访问

2017-05-19 108 views
-1

我已经为我的webapp实现了弹簧安全。弹簧安全 - 基于角色的访问

我想配置基于角色的访问。只有具有角色“ROLE_ADMIN”的用户才能登录。

我添加了模型“角色”,并在我的数据库中添加了一个表。 但是具有“ROLE_USER”角色的用户仍然可以登录。

@Override 
protected void configure(HttpSecurity http) { 
    try { 
     http.csrf().disable() 
       .authorizeRequests() 
       .antMatchers("/resources/**").hasRole("ROLE_ADMIN") 
       .anyRequest().authenticated() 
       .and() 
       .formLogin() 
       .loginPage("/login") 
       .permitAll() 
       .and() 
       .logout() 
       .permitAll(); 
    } catch (Exception e) { 
     e.printStackTrace(); 
    } 

}

谢谢!

编辑:完整的春天安全配置

@Configuration 
@EnableWebSecurity 
@ComponentScan(basePackageClasses = UserDetailsServiceImpl.class) 
@EnableGlobalMethodSecurity(prePostEnabled = true) 
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 

@Autowired 
private UserDetailsService userDetailsService; 

@Bean 
public BCryptPasswordEncoder bCryptPasswordEncoder() { 
    return new BCryptPasswordEncoder(); 
} 

@Override 
public void configure(WebSecurity web) { 
    web.ignoring().antMatchers("/css/**", "/js/**"); 
} 

@Override 
protected void configure(HttpSecurity http) { 
    try { 
     http.csrf().disable() 
       .authorizeRequests() 
       .antMatchers("/resources/**").hasRole("ADMIN") 
       .anyRequest().authenticated() 
       .and() 
       .formLogin() 
       .loginPage("/login") 
       .permitAll() 
       .and() 
       .logout() 
       .permitAll(); 
    } catch (Exception e) { 
     e.printStackTrace(); 
    } 

} 

@Bean 
public DaoAuthenticationProvider authenticationProvider() { 
    DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider(); 
    authProvider.setUserDetailsService(userDetailsService); 
    authProvider.setPasswordEncoder(bCryptPasswordEncoder()); 
    return authProvider; 
} 

@Autowired 
public void globalSecurityConfiguration(AuthenticationManagerBuilder auth) { 
    try { 
     auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder()); 
    } catch (Exception e) { 
     e.printStackTrace(); 
    } 
} 

}

来源

2017-05-19 cmplx96

回答

1

你扩展WebMvcConfigurerAdapter?此外hasRole将前缀提供的字符串以 “ROLE_”

从DOC:

角色要求(即,用户,管理员等)。请注意,它不应以“ROLE_”开头,因为它会自动插入。

例如:

@SpringBootApplication 
public class SampleWebSecureJdbcApplication extends WebMvcConfigurerAdapter { 

    public static void main(String[] args) throws Exception { 
     new SpringApplicationBuilder(SampleWebSecureJdbcApplication.class).run(args); 
    } 

    @Configuration 
    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) 
    protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter { 

     @Autowired 
     private DataSource dataSource; 

     @Override 
     protected void configure(HttpSecurity http) throws Exception { 
       http 
        .authorizeRequests()  
        .antMatchers("/resources/**", "/signup", "/about").permitAll()  
        .antMatchers("/admin/**").hasRole("ADMIN") 
        .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") 
        .anyRequest().authenticated()  
        .and() 
        .formLogin().loginPage("/login").failureUrl("/login?error").permitAll() 
        .and() 
        .logout().permitAll(); 
     } 

     @Override 
     public void configure(AuthenticationManagerBuilder auth) throws Exception { 
      auth.jdbcAuthentication().dataSource(this.dataSource); 
     } 

    } 

}

来源

2017-05-19 10:46:39

相关问题

 相关问题