@Configuration
@EnableMethodSecurity
@EnableWebSecurity
class SecurityConfig(
private val ottAuthenticationFilter: OTTAuthenticationFilter,
) {
private val urlPrefix = "/api"
private val urlsForAll = arrayOf(
"/join/**", "/login/**", "/view/**"
).map { "$urlPrefix$it" }.toTypedArray()
.plus(arrayOf("/v3/**", "/swagger-ui/**"))
private val urlForMember = arrayOf(
"/members/**"
).map { "$urlPrefix$it" }.toTypedArray()
@Bean fun passwordEncoder() = BCryptPasswordEncoder()
@Bean
fun filterChain(http: HttpSecurity): SecurityFilterChain = http
.csrf {
it.disable()
}
.headers {
it.frameOptions {
it.sameOrigin()
}}
.authorizeHttpRequests {
it.requestMatchers(*urlsForAll).permitAll()
.requestMatchers("/v3/**", "/swagger-ui/**", "/swagger-ui/index.html").permitAll()
.requestMatchers(*urlForMember).hasRole("MEMBER")
.requestMatchers("/**").hasAuthority("ADMIN_ADMINISTRATOR")
.anyRequest().authenticated()
}
.formLogin {
it.loginPage("/api/login/")
}
.httpBasic(Customizer.withDefaults())
.sessionManagement { it.sessionCreationPolicy(SessionCreationPolicy.STATELESS) }
.addFilterBefore(ottAuthenticationFilter, BasicAuthenticationFilter::class.java)
.build()
App运行后的日志
[20:11:05.690][INFO ][org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start:line221] - Tomcat started on port 80 (http) with context path ''
[20:11:05.694][INFO ][com.study.security.SecurityApplicationKt.logStarted:line56] - Started PseuteamApplicationKt in 9.373 seconds (process running for 9.687)
[20:11:05.783][INFO ][org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/].log:line173] - Initializing Spring DispatcherServlet 'dispatcherServlet'
[20:11:05.784][INFO ][org.springframework.web.servlet.DispatcherServlet.initServletBean:line532] - Initializing Servlet 'dispatcherServlet'
[20:11:05.784][INFO ][org.springframework.web.servlet.DispatcherServlet.initServletBean:line554] - Completed initialization in 0 ms
我尝试了控制器和 Swagger Docs 中的每个端点,但一切都通过 403 响应重定向 /api/login 。 首先我发现这个问题,没有“.formLogin”,每个api都会出现403 Forbidden。 有人可以给我一些建议吗? 如果我尝试过:80 端口,请不要提醒我。
我想问题不在
csrf
,因为我看不到要在UserDetailsService
类中声明的SecurityConfig
bean。
在此您必须添加类似的内容,因为您允许按角色访问:
@Bean fun users(): UserDetailsService { val user = User.builder() .username("user") .password("{bcrypt}$2a$10\$GRLdNijSQMUvl/au9ofL.eDwmoohzzS7.rmNSJZ.0FxO/BTk76klW") .roles("USER") .build() val admin = User.builder() .username("admin") .password("{bcrypt}$2a$10\$GRLdNijSQMUvl/au9ofL.eDwmoohzzS7.rmNSJZ.0FxO/BTk76klW") .roles("USER", "ADMIN") .build() return InMemoryUserDetailsManager(user, admin) }
举个例子
比内存用户声明更多的细节和其他方式,您将能够从文档的存储机制部分开始查找。