我在http中没有收到错误403"放入";方法在内存身份验证中使用SpringSecurity。该方法在应该返回403时返回了200。使用http";张贴";方法工作正常。注意示例:
网络安全配置:
@Configuration
public class WebSecutiryConfigurer extends WebSecurityConfigurerAdapter {
@Override
@Bean
protected AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
@Override
@Bean
protected UserDetailsService userDetailsService() {
return super.userDetailsService();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().passwordEncoder(passwordEncoder()).withUser("11111111111")
.password(passwordEncoder().encode("minhasenha")).roles("Administrador").and().withUser("22222222222")
.password(passwordEncoder().encode("minhasenha")).roles("Consulta");
}
}
这是我的ResourceServerConfigurerAdapter:
@Configuration
public class ResourceServerConfigurer extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/v1/cnaes").hasAnyRole("Administrador", "Alteracao", "Consulta")
.antMatchers(HttpMethod.POST, "/v1/cnaes").hasRole("Administrador")
.antMatchers(HttpMethod.DELETE, "/v1/cnaes").hasRole("Administrador")
.antMatchers(HttpMethod.PUT, "/v1/cnaes/delete").hasRole("Administrador")
.antMatchers(HttpMethod.PUT, "/v1/cnaes").hasRole("Administrador")
.and()
.anonymous().disable()
.exceptionHandling();
}
}
这是我在测试类中的方法:
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
public class CnaeTeste {
@LocalServerPort
private int port;
private String urlGeracaoToken = "http://localhost:8088/oauth/token";
private String oauthTokenPerfilAdministrador;
private String oauthTokenPerfilConsulta;
@Before
public void setup() {
RestAssured.baseURI = "http://localhost:5555/mysystem/v1/cnaes";
}
@Before
public void autenticarPerfilAdministrador() {
Response response = RestAssured.given().auth().basic("usuario-bearer", "omissospj-pwd-bearer")
.formParam("scope", "intranet").formParam("username", "07068684718").formParam("password", "minhasenha")
.formParam("grant_type", "password").when().post(this.urlGeracaoToken);
this.oauthTokenPerfilAdministrador = response.jsonPath().get("access_token");
}
@Before
public void autenticarPerfilConsulta() {
Response response = RestAssured.given().auth().basic("usuario-bearer", "omissospj-pwd-bearer")
.formParam("scope", "intranet").formParam("username", "22222222222").formParam("password", "minhasenha")
.formParam("grant_type", "password").when().post(this.urlGeracaoToken);
this.oauthTokenPerfilConsulta = response.jsonPath().get("access_token");
}
@Test
public void falhaAtualizarQuandoUsuarioPerfilAlteracaoStatusCode403() throws Exception {
// insert
Cnae cnae = new Cnae(0L, "2222222", "CNAE de Teste - Criada - Perfil Administrador", false);
ObjectWriter ow = new ObjectMapper().writer().withDefaultPrettyPrinter();
String json = ow.writeValueAsString(cnae);
Response responseInclusao = RestAssured.given()
.headers("Authorization", "Bearer " + this.oauthTokenPerfilAdministrador, "Content-Type",
ContentType.JSON, "Accept", ContentType.JSON)
.body(json).when().post();
Assertions.assertThat(responseInclusao.getStatusCode()).isEqualTo(201);
// update
String stringResponse = responseInclusao.getBody().asString();
JSONObject jsonObject = new JSONObject(stringResponse);
String idCadastrado = jsonObject.getString("id");
Long idAtualizado = Long.parseLong(idCadastrado);
cnae = new Cnae(idAtualizado, "2222222", "CNAE de Teste - Atualizada - Perfil Alteração", false);
ow = new ObjectMapper().writer().withDefaultPrettyPrinter();
json = ow.writeValueAsString(cnae);
Response responseAlteracao = RestAssured.given().headers("Authorization",
"Bearer " + this.oauthTokenPerfilConsulta, "Content-Type", ContentType.JSON, "Accept", ContentType.JSON)
.body(json).when().put("/" + idCadastrado);
Assertions.assertThat(responseAlteracao.getStatusCode()).isEqualTo(403);
// delete
Response responseExcluir = RestAssured.given()
.headers("Authorization", "Bearer " + this.oauthTokenPerfilAdministrador, "Content-Type",
ContentType.JSON, "Accept", ContentType.JSON)
.when().delete("/" + idCadastrado).then().extract().response();
Assertions.assertThat(responseExcluir.getStatusCode()).isEqualTo(200);
}
}
我收到200状态码,当我预计收到403:时
Assertions.assertThat(responseAlteracao.getStatusCode()).isEqualTo(403);
有什么建议吗?
是删除也失败,还是只放入?
您的输入被定向到urlhttp://localhost:5555/mysystem/v1/cnaes/idCadastrado
但您只匹配/v1/cnaes:.antMatchers(HttpMethod.PUT, "/v1/cnaes").hasRole("Administrador")
也许您需要确保其他请求经过身份验证:.antMatchers(HttpMethod.PUT, "/v1/cnaes/**").authenticated()或.antMatchers(HttpMethod.PUT, "/v1/cnaes/**").hasRole("Administrador")或.anyRequest().hasRole("Administrador")(在添加所有其他antMatchers后放在末尾(
如果您的控制器中没有映射到/v1/cnaes/:id,但我在您提供的代码中看不到您的控制器入口点,那么它仍然会失败。我想,如果入口点存在,并且安全级别为@PreAuthorize("permitAll"(,那么您就成功地调用了它。