403禁止 - 带有弹簧靴的弹簧安全
我有我的Spring Boot应用程序,并且正在尝试增加Spring Security,但是当我通过Postman提出请求时,我会继续获得403 Forbbiden, 在线我发现我shoud添加了:“ .csrf()。disable()”到我的配置中,但它不起作用 (如果我将方法放在路径上:“ person/**'在许可证())的
(我的代码:
@Data
@AllArgsConstructor
@NoArgsConstructor
@Document("User")
public class User {
@Id
private String id;
private String name;
private String password;
private String email;
private Set<UserRole> roles;
}
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final UserDetailsService userDetailsService;
private final BCryptPasswordEncoder encoder;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(encoder);}
@Override
protected void configure(HttpSecurity http) throws Exception {
log.info("HttpSecurity: {}",http);
http.authorizeRequests()
.antMatchers( "/user/saveUser").permitAll()
.antMatchers("/person/**").hasAnyRole()
.and().csrf().disable().cors().disable();}
}
public class UserService implements UserDetailsService{
private final UserRepository userRepo;
private final BCryptPasswordEncoder passwordEncoder;
@Override
public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
log.info("mail request: {}",email);
Optional<User> opt = userRepo.findUserByEmail(email);
log.info("Find user: {}", opt);
org.springframework.security.core.userdetails.User springUser=null;
if(opt.isEmpty()) {
throw new UsernameNotFoundException("User with email: " +email +" not found");
}else {
User user =opt.get();
Set<UserRole> roles = user.getRoles();
Set<GrantedAuthority> grantedAuthorities = new HashSet<>();
for(UserRole role:roles) {
grantedAuthorities.add(new SimpleGrantedAuthority(role.name()));
}
springUser = new org.springframework.security.core.userdetails.User(
email,
user.getPassword(),
grantedAuthorities );
}
return springUser;
}
我的用户控制器:
@RestController
@RequestMapping("user")
public class UserController {
private final UserService userService;
@PostMapping("/saveUser")
public ResponseEntity<String> saveUser(@RequestBody User user) {
log.info("Registering User: {}", user);
userService.saveUser(user);
return ResponseEntity.ok("registered User");
}
}
我的人控制器:(方法403)
@RestController
@requestmapping(“人”)
公共类PersonController {
@Autowired
Persemservice Perservice;
@getMapping(“/getall”)
公共响应性&lt; list&gt; getall()抛出ioexception {
返回响应词。ok(personService.findall());
}
这是我第一次使用春季安全性,我在线遵循了一个教程,但我真的无法弄清楚为什么我将请求放在安全状态下,它仍然被禁止403
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我认为您可能需要添加
@configuration和@enablewebsecurity注释Security> Security> Security> SecurityConfig类,因为Spring-Security无法看到您的安全配置没有他们。请参阅参考文档: https://docs.spring.io/spring-security/site/site/docs/current/current/api/org/springframework/security/security/security/config/config/annotation/web/configuration/web/configuration/enableweablewebleceburation/enablewebsececurity..html
----另外,
websecurityConfigurerAdapter是自5.7.0-m2以来,因此您可以考虑创建一个类型SecurityFilterChain的bean,以配置应用程序中的安全性,如果您使用以后的Spring-Security版本。I think you might need to add
@Configurationand@EnableWebSecurityannotations to yourSecurityConfigclass, because spring-security can't see your security configuration without them.See reference documentation: https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.html
Mind also, that
WebSecurityConfigurerAdapterwas deprecated since 5.7.0-M2, so you might consider creating a bean of typeSecurityFilterChainto configure security in your app if you use later versions of spring-security.