我正在尝试使用Spring Boot, JWT与角色实现身份验证
我有错误:
访问该资源需要完全身份验证
when sendPOST请求"http://localhost: 8080/api/资料/edit_user_detail"(带授权头)
下面是我的控制器
@Controller
@CrossOrigin(origins = "*",maxAge = 3600)
@RequestMapping("/api/profile")
public class UserAPI {
@Autowired
UserRepository userRepository;
@Autowired
private RoleRepository roleRepository;
@Autowired
QARepository qaRepository;
@Autowired
DiscussRepository discussRepository;
@Autowired
AnnouncementRepository announcementRepository;
@PostMapping(value = {"/edit_user_detail"})
@PreAuthorize("hasRole('ROLE_USER')")
public ResponseEntity<?> editInfo(@RequestBody Map map) throws ParseException {
String username = map.get("username").toString();
String display_name = map.get("display_name").toString();
User user = userRepository.findByUserName(username).get(0);
user.setuDigitalName(display_name);
userRepository.save(user);
return ResponseEntity.ok("Updated");
}
但是当我删除一行时
@PreAuthorize("hasRole (ROLE_USER)")
然后我可以成功POST请求并成功编辑用户(我已经检查了数据库)
这也是我的入口点(捕获异常)
@Component
public class AuthEntryPointJwt implements AuthenticationEntryPoint {
private static final Logger log = LoggerFactory.getLogger(AuthEntryPointJwt.class);
@Override
public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
log.error("Authorized error: " + e.getMessage());
httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED,"Error: Unauthorized");
e.printStackTrace();
}
}
这是我的配置文件
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class ConfigAuthenticate extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsServices userDetailsServices;
@Autowired
private AuthEntryPointJwt unauthorizeHandler;
@Bean
public AuthTokenFilter authenticationJwtTokenFilter(){
return new AuthTokenFilter();
}
@Bean
@Override public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsServices).passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().exceptionHandling().authenticationEntryPoint(unauthorizeHandler)
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().authorizeRequests()
.antMatchers("/**").permitAll()
.anyRequest().authenticated();
http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
}
}
我认为在WebSecurityConfigurerAdapter中配置有问题,我已经试过了
- 将
@PreAuthorize("hasRole('ROLE_USER')")更改为@PreAuthorize("hasRole('USER')") - 检查头中的JWT令牌,以及数据库中的ROLE
但还是不行,有人有解决方案吗
尝试删除.antMatchers("/**").permitAll(),并将这些行添加到您的:
application.yml
logging:
level:
org.springframework.security: TRACE
或application.properties
logging.level.org.springframework.security=TRACE
你可以像这样看到你的用户信息:
AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
您可以依靠Granted Authorities来确定用户的角色
因为您在.anyRequest().authenticated()之前设置了.antMatchers("/**").permitAll(),所以我不确定您是否成功验证了用户。如果没有,那么AnonymousAuthenticationFilter将为您创建一个匿名用户。如果你没有添加@PreAuthorize("hasRole('USER')"),基于.antMatchers("/**").permitAll()的FilterSecurityInterceptor将允许请求通过它并访问控制器。