我已经做了一些休息端点。我启用了基于角色的身份验证和授权。但问题是我公开的休息端点做得很好,但我为身份验证和授权所做的端点不起作用。它抛出错误 403。我正在浏览器中点击请求。我定义了两个角色 user 和 admin。我在数据库中创建了两个表 users 和authorities,并使用 coulmn 用户名与外键连接。
我还有一个疑问,我正在使用带有自己的用户名和密码的自定义过滤器链,据我所知,默认令牌不应在我的控制台中生成,该控制台仍在生成中。请也看看。我正在附上屏幕截图。
请帮忙。过去 20 天我一直陷入这个问题。尝试了一切。但仍然面临错误 403。
这是我的安全配置类
package com.telusko.securityconfiguration;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
@EnableWebSecurity
public class SecurityConfigApp {
@Autowired
private DataSource dataSource;
@Autowired
public void authenticationManager(AuthenticationManagerBuilder auth) throws Exception {
auth
.jdbcAuthentication()
.passwordEncoder(new BCryptPasswordEncoder())
.dataSource(dataSource)
.usersByUsernameQuery("select username,password,enabled from users where username=?")
.authoritiesByUsernameQuery("select username,authority from authorities where username=?");
}
@Bean
public SecurityFilterChain customFilterChain(HttpSecurity http) throws Exception {
http.cors(cors->cors.disable())
.authorizeHttpRequests(
request ->request.requestMatchers("/api/").permitAll()
.requestMatchers("/api/admin/").hasRole("ADMIN")
.requestMatchers("/api/user/").hasAnyRole("ADMIN","USER")
.anyRequest().authenticated()
).httpBasic(Customizer.withDefaults())
.csrf(AbstractHttpConfigurer::disable)
.formLogin(Customizer.withDefaults());
return http.build();
}
}
这是我的控制器类
package com.telusko.restcontroller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/api")
public class UserRestController {
@GetMapping("/")
public String welcome() {
return "<h1>Welcome to Ineuron Family</h1>";
}
@GetMapping("/admin")
public String adminProcess() {
return "<h1>Welcome admin</h1>";
}
@GetMapping("/user")
public String userProcess() {
return "<h1>Welcome user</h1>";
}
}
这是我的应用程序属性文件
spring.datasource.url=jdbc:mysql://localhost:3307/oct_batch1
spring.datasource.username=root
spring.datasource.password=Lumia@541
logging.level.org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder=INFO
这是我的
package com.telusko;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
import org.springframework.context.annotation.ComponentScan;
@SpringBootApplication()
@ComponentScan()
public class SpringSecurityJdbcAuthenticationApplication {
public static void main(String[] args) {
SpringApplication.run(SpringSecurityJdbcAuthenticationApplication.class, args);
}
}
这是我收到的错误
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Tue Jan 16 10:23:55 IST 2024
There was an unexpected error (type=Forbidden, status=403).
Forbidden
我已经尝试过lambda dsl,因为我正在使用spring security 6.2和cors禁用,chatgpt,bing ai,但它仍然不起作用。
数据库表、权限表中的权限是否正确定义?
您可以在配置类中使用 UserDetailsMANager 并检查它是否有效
@Bean
public UserDetailsManager userDetailsManager(DataSource dataSource) throws Exception {
JdbcUserDetailsManager jdbcUserDetailsManager = new JdbcUserDetailsManager(dataSource);
jdbcUserDetailsManager.setUsersByUsernameQuery("select username,password,enabled from users where username=?");
jdbcUserDetailsManager.setAuthoritiesByUsernameQuery("select username,authority from authorities where username=?");
return jdbcUserDetailsManager;
}