我正在使用Java Spring Boot编写基本的Web应用程序,目前在数据库中用户角色以及对应用程序不同部分的访问方面存在问题。用户可以具有“ ADMIN”或“ USER”角色。这两个角色所允许的唯一区别是ADMIN可以访问“ / register”页面,而其他角色USER则不能。我在下面发布了我的http configure方法的代码,并且不确定我哪里出错了。我希望所有用户都能够访问登录页面,而只有ADMIN能够访问“ / register”页面。我遇到的问题是,由于某种原因,到目前为止,我的应用程序的“ / home”页面甚至无需登录就可以看到。使用我下面的内容登录并没有被强制执行。
package bcoreHW.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
import bcoreHW.service.UserService;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserService userService;
@Autowired
private PasswordEncoder passwordEncoder;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers( // allow users access to any files in js, css, and img directories
"/login",
"/js/**",
"/css/**",
"/img/**")
.permitAll()
.antMatchers("/register")
.hasRole("ADMIN")
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/home")
.permitAll()
.and()
.logout()
.permitAll();
}
// @Autowired
// public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// auth
// .inMemoryAuthentication()
// .withUser("test")
// .password("hello")
// .roles("USER");
// }
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(passwordEncoder);
}
}
但是,如果将configure()方法更改为下面的内容,则至少会强制用户登录,并且在“单击”状态下,从那里获得的权限是正确的,但是我仍然可以到地址栏并在USER角色下搜索“ / register”,这就是为什么我尝试实现发布的第一段代码。两者都尚未奏效,并希望获得一些帮助。
package bcoreHW.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
import bcoreHW.service.UserService;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserService userService;
@Autowired
private PasswordEncoder passwordEncoder;
@Override
protected void configure(HttpSecurity http) throws Exception {
//@formatter:off
http
.authorizeRequests()
.antMatchers( // allow users access to any files in js, css, and img directories
"/login",
"/js/**",
"/css/**",
"/img/**")
.permitAll()
.anyRequest().
authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/home")
.permitAll()
.and()
.logout()
.permitAll();
}
// @Autowired
// public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// auth
// .inMemoryAuthentication()
// .withUser("test")
// .password("hello")
// .roles("USER");
// }
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(passwordEncoder);
}
}
确保在数据库中存储角色为ROLE_ADMIN和ROLE_USER的用户
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers( "/login", "/js/**", "/css/**", "/img/**").permitAll() // allow users access to any files in js, css, and img directories
.antMatchers("/register").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login")
.defaultSuccessUrl("/home").permitAll()
.and()
.logout().permitAll();
}