这是我的安全性配置类,我正在使用BCryptPasswordEncoder
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private PasswordEncoder encoder;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.POST,"/api/auth/register")
.permitAll()
.antMatchers(HttpMethod.GET,"/api/auth/resources")
.hasAuthority("USER")
.and()
.csrf().disable();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
}
}
这是我对UserDetailsService的实现
public class UserDetailsServiceImpl implements UserDetailsService{
@Autowired
private AccountRepository repo;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
Account account = repo.findByUsername(username).orElseThrow(() -> new UsernameNotFoundException("No user found for username " + username));
User user =
new User(account.getUsername(), account.getPassword(), true, true, true, true, AuthorityUtils.createAuthorityList(account.getAuthorities()));
return user;
}
}
上面的POST方法是我可以提供存储在MySQL表中的用户名和密码的位置。
现在,当我可以使用刚刚添加的用户名和密码使用邮递员调用GET方法时,会出现如下所示的401未经授权的错误
{
"timestamp": "2020-05-23T20:12:10.165+0000",
"status": 401,
"error": "Unauthorized",
"message": "Unauthorized",
"path": "/api/auth/resources"
}
Spring Security的ExpressionUrlAuthorizationConfigurer.java
具有以下方法。前缀ROLE _在此有所不同。
对于hasAuthority(), hasAnyAuthority()
方法,我们需要传递带有前缀ROLE _的权限,即ROLE_USER
对于hasRole()
方法会自动添加前缀ROLE _,因此我们只能将授权名称作为USER
private static String hasRole(String role) {
Assert.notNull(role, "role cannot be null");
if (role.startsWith("ROLE_")) {
throw new IllegalArgumentException("role should not start with 'ROLE_' since it is automatically inserted. Got '" + role + "'");
} else {
return "hasRole('ROLE_" + role + "')";
}
}
private static String hasAuthority(String authority) {
return "hasAuthority('" + authority + "')";
}
private static String hasAnyAuthority(String... authorities) {
String anyAuthorities = StringUtils.arrayToDelimitedString(authorities, "','");
return "hasAnyAuthority('" + anyAuthorities + "')";
}