我刚刚将WebSecurityConfigurerAdapter添加到我的项目中,试图第一次创建用户逻辑(登录-密码-哪个用户可以对我的应用程序做什么),但有些事情确实是错误的。
每当我尝试向任何路径或任何类型的方法发出请求时,它返回给我403 Forbidden!我不知道该怎么办,因为这是我第一次处理任何类型的安全逻辑。
这是我的代码:
@Configuration
@EnableWebSecurity
@ComponentScan
@EnableGlobalMethodSecurity(
prePostEnabled = true,
securedEnabled = true,
jsr250Enabled = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter{
@Autowired
private UserDetailsService userDetailsService;
@Bean
AuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider provider
= new DaoAuthenticationProvider();
provider.setUserDetailsService(userDetailsService);
provider.setPasswordEncoder(new BCryptPasswordEncoder());
return provider;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/**")
.hasAuthority("ADMIN")
.antMatchers(HttpMethod.DELETE, "/**")
.hasAuthority("ADMIN")
.antMatchers(HttpMethod.PUT, "/**")
.hasAuthority("ADMIN")
.antMatchers(HttpMethod.GET, "/**")
.hasAuthority("ADMIN")
.antMatchers(HttpMethod.GET, "/tools")
.hasAuthority("USER")
.anyRequest()
.authenticated()
.and()
.cors()
.and()
.exceptionHandling()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf()
.disable();
}
}
我也有这两个类(我遵循教程和家伙做了这两个):
public class CustomUserDetails implements UserDetails {
/**
*
*/
private static final long serialVersionUID = 1L;
private Users user;
public CustomUserDetails(Users user) {
super();
this.user = user;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return Collections.singleton(new SimpleGrantedAuthority(user.getRole()));
}
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public String getUsername() {
return user.getLogin();
}
public String getEmail() {
return user.getEmail();
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
和
public class CustomUserDetails implements UserDetails {
/**
*
*/
private static final long serialVersionUID = 1L;
private Users user;
public CustomUserDetails(Users user) {
super();
this.user = user;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return Collections.singleton(new SimpleGrantedAuthority(user.getRole()));
}
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public String getUsername() {
return user.getLogin();
}
public String getEmail() {
return user.getEmail();
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
如果我遗漏了什么,你真的想要帮助,这是完整的代码:https://github.com/vitoriaacarvalho/backend-challenge-very-useful-tools-to-remember-
我已经(非常)感谢任何回应并试图帮助我的人!
当我查看您的代码时,您没有在返回用户信息的服务中设置用户的权限。
在UserService中创建了一个用户,并且只指定了id信息。在这种情况下,您不能访问您给角色的任何url。
如果你像下面这样编辑你的代码,你的问题就解决了。
@Service
public class CustomUserDetailsService implements UserDetailsService{
@Autowired
private UserRepository repo;
@Override
public UserDetails loadUserByUsername(String login) throws UsernameNotFoundException {
Optional<Users> user= repo.findByLogin(login);
if(user==null) {
throw new UsernameNotFoundException("User not found");
}
//return new CustomUserDetails(user.get());
return new User(login, login, Collections.singletonList(new SimpleGrantedAuthority("ADMIN")))
}
}