403 禁止在 Spring 安全性中仅使用自定义 UserDetailsService
403 forbidden in Spring Security with Custom UserDetailsService only
我在 spring 引导项目中有以下文件用于 Spring 安全。当我使用 inMemoryAuthentication 时它可以工作,但是当我使用自定义 UserDetailsService 时它不起作用。自定义 UserDetailsService class 被调用但它仍然给出 403(当我尝试访问 /user 时)但它适用于开放 url (/usr)。
import org.springframework.security.core.userdetails.User
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//not using parameter which is being passed as trying to figure out the problem first.
UserDetails user = User.withUsername("abc").password("abc").authorities("ADMIN").build();
return user;
}
}
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserDetailsServiceImpl userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(getPasswordEncoder());
// auth.inMemoryAuthentication().withUser("abc").password("abc").roles("ADMIN");
}
@Bean
public PasswordEncoder getPasswordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/api/user").hasRole("ADMIN")
.antMatchers("/").permitAll()
.and().formLogin();
}
}
@RestController
@RequestMapping("/api")
public class UserController {
@GetMapping("/usr")
public ResponseEntity<String> getOpenResponse() {
return ResponseEntity.ok("You are accessing open url");
}
@GetMapping("/user")
public ResponseEntity<String> getSecuredResponse() {
return ResponseEntity.ok("You are accessing secured path");
}
}
我在这里做错了什么?我错过了什么吗?
问题在这里:
UserDetails user = User.withUsername("abc").password("abc").authorities("ADMIN").build();
您将用户的权限设置为 "ADMIN",但在 SecurityConfig class 中,您希望用户具有 角色 "ADMIN",其实就是"ROLE_ADMIN"权限的快捷方式:
http.authorizeRequests()
.antMatchers("/api/user").hasRole("ADMIN")
要解决该问题,您应该定义用户的角色:
User.withUsername("abc").password("abc").roles("ADMIN")
我在 spring 引导项目中有以下文件用于 Spring 安全。当我使用 inMemoryAuthentication 时它可以工作,但是当我使用自定义 UserDetailsService 时它不起作用。自定义 UserDetailsService class 被调用但它仍然给出 403(当我尝试访问 /user 时)但它适用于开放 url (/usr)。
import org.springframework.security.core.userdetails.User
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//not using parameter which is being passed as trying to figure out the problem first.
UserDetails user = User.withUsername("abc").password("abc").authorities("ADMIN").build();
return user;
}
}
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserDetailsServiceImpl userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(getPasswordEncoder());
// auth.inMemoryAuthentication().withUser("abc").password("abc").roles("ADMIN");
}
@Bean
public PasswordEncoder getPasswordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/api/user").hasRole("ADMIN")
.antMatchers("/").permitAll()
.and().formLogin();
}
}
@RestController
@RequestMapping("/api")
public class UserController {
@GetMapping("/usr")
public ResponseEntity<String> getOpenResponse() {
return ResponseEntity.ok("You are accessing open url");
}
@GetMapping("/user")
public ResponseEntity<String> getSecuredResponse() {
return ResponseEntity.ok("You are accessing secured path");
}
}
我在这里做错了什么?我错过了什么吗?
问题在这里:
UserDetails user = User.withUsername("abc").password("abc").authorities("ADMIN").build();
您将用户的权限设置为 "ADMIN",但在 SecurityConfig class 中,您希望用户具有 角色 "ADMIN",其实就是"ROLE_ADMIN"权限的快捷方式:
http.authorizeRequests()
.antMatchers("/api/user").hasRole("ADMIN")
要解决该问题,您应该定义用户的角色:
User.withUsername("abc").password("abc").roles("ADMIN")