用户角色Spring Data Rest Spring安全

问题描述 投票:2回答:1

我有一个我不太了解的错误。我没有找到任何教程来解释为什么它不起作用。我有使用Spring Security的Spring Boot应用程序。

[当我发出此POST请求时:http://localhost:8181/roles正文:

{
    "name":"ROLE_USER"
}

效果很好。

[当我发出此POST请求时:http://localhost:8181/users正文:

 {
    "username":"user",
    "password":"pass",
    "roles":[
      "http://localhost:8181/roles/1"
    ]
}

效果很好

但是当我发出此GET请求时:http://localhost:8181/users具有正确的凭据(用户名:user,密码:pass)

它返回:

{
  "timestamp": "2020-04-22T15:04:55.032+0000",
  "status": 403,
  "error": "Forbidden",
  "message": "Forbidden",
  "path": "/users"
}

我不知道为什么返回403。

PS:所有请求均在邮递员上完成

UnoApplication.java

package com.example.Uno;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@SpringBootApplication
public class UnoApplication {

    @Bean
    public PasswordEncoder passwordEncoder(){
        return NoOpPasswordEncoder.getInstance();
    }

    public static void main(String[] args) {
        SpringApplication.run(UnoApplication.class, args);
    }
}

User.java

package com.example.Uno.entity;

import lombok.Data;

import javax.persistence.*;
import java.io.Serializable;
import java.util.*;

@Data
@Entity

public class User implements Serializable {

    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;

    private String username;
    private String password;


    @ManyToMany(mappedBy = "users",targetEntity = Role.class,cascade = {CascadeType.MERGE,CascadeType.PERSIST}, fetch = FetchType.EAGER)
    private Set<Role> roles = new HashSet<>();


}

Role.java

package com.example.Uno.entity;

import lombok.Data;

import javax.persistence.*;
import java.io.Serializable;
import java.util.*;

@Data
@Entity

public class Role implements Serializable {

    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;
    private String name;

    @ManyToMany(cascade = {CascadeType.MERGE,CascadeType.PERSIST}, fetch = FetchType.LAZY)
    private Set<User> users = new HashSet<>();


}

MyUserDetails.java

package com.example.Uno.entity;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.Collection;
import java.util.List;


public class MyUserDetails implements UserDetails {

    private String username;
    private String password;
    private List<GrantedAuthority> grantedAuthorities;

    public MyUserDetails(com.example.Uno.entity.User user){
        this.username = user.getUsername();
        this.password = user.getPassword();
        for (Role r: user.getRoles()){
            grantedAuthorities.add(new SimpleGrantedAuthority(r.getName()));
        }

    }


    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return grantedAuthorities;
    }

    @Override
    public String getPassword() {
        return password;
    }

    @Override
    public String getUsername() {
        return username;
    }

    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return true;
    }
}

UserRepository.java

package com.example.Uno.repository;


import com.example.Uno.entity.User;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.rest.core.annotation.RepositoryRestResource;

import java.util.Optional;


@RepositoryRestResource
public interface UserRepository extends JpaRepository<User,Long> {

    User findUserByUsername(String s);

}

RoleRepository.java

package com.example.Uno.repository;

import com.example.Uno.entity.Role;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.rest.core.annotation.RepositoryRestResource;

@RepositoryRestResource
public interface RoleRepository extends JpaRepository<Role,Long> {
    Role findRoleByName(String name);
}

MyUserDetailsS​​ervice.java

package com.example.Uno.service;

import com.example.Uno.entity.MyUserDetails;
import com.example.Uno.entity.User;
import com.example.Uno.repository.UserRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;


@Service
public class MyUserDetailsService implements UserDetailsService {
    @Autowired
    private UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {

        User user = userRepository.findUserByUsername(s);
        return new MyUserDetails(user);
    }
}

SecurityConfig.java

package com.example.Uno.config;

import com.example.Uno.service.MyUserDetailsService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private MyUserDetailsService myUserDetailsService;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(myUserDetailsService).passwordEncoder(passwordEncoder);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(HttpMethod.POST,"/users");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
                .antMatchers("/users").hasRole("USER")
                .anyRequest().permitAll().and().httpBasic();
    }
}

谢谢您的时间。

编辑

我在我的application.properties中添加了这一行:logging.level.org.springframework.security = DEBUG

并且当我发出上一个GET请求时,它在后端看起来像这样:Spring part 2 User Role

spring-boot jpa roles spring-data-rest userdetailsservice
1个回答
0
投票

因此基于日志

com.example.Uno.entity.MyUserDetails@1c6f2612; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities'

您的用户详细信息没有任何权限,这意味着方法:findUserByUserName没有在用户对象中获得任何角色。

并且您应该调试该功能。但是您的方向正确,并且非常接近胜利!

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.