我正在使用Java Spring Boot编写一个基本的Web应用程序,目前在数据库中的用户角色以及对应用程序不同部分的访问方面遇到问题。用户可以具有"管理员"或"用户"角色。这两个角色允许的唯一区别是管理员能够访问"/注册"页面,而角色 USER 中的其他人则不能。我已经在下面发布了我的http配置方法的代码,但不确定我哪里出错了。我希望所有用户都能够访问登录页面,只有管理员才能访问"/register"页面。我遇到的问题是,到目前为止,由于某种原因,我的应用程序的"/home"页面甚至无需登录即可看到。使用我在下面的内容登录未被强制执行。
package bcoreHW.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
import bcoreHW.service.UserService;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserService userService;
@Autowired
private PasswordEncoder passwordEncoder;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers( // allow users access to any files in js, css, and img directories
"/login",
"/js/**",
"/css/**",
"/img/**")
.permitAll()
.antMatchers("/register")
.hasRole("ADMIN")
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/home")
.permitAll()
.and()
.logout()
.permitAll();
}
// @Autowired
// public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// auth
// .inMemoryAuthentication()
// .withUser("test")
// .password("hello")
// .roles("USER");
// }
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(passwordEncoder);
}
}
但是,如果我将 configure(( 方法更改为下面的内容,至少用户被迫登录,并且那里的权限在"单击"的基础上是正确的,但我仍然可以转到地址栏并在 USER 角色下搜索"/register",这就是我尝试实现我发布的第一段代码的原因。两者都没有工作,希望得到一些帮助。
package bcoreHW.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
import bcoreHW.service.UserService;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserService userService;
@Autowired
private PasswordEncoder passwordEncoder;
@Override
protected void configure(HttpSecurity http) throws Exception {
//@formatter:off
http
.authorizeRequests()
.antMatchers( // allow users access to any files in js, css, and img directories
"/login",
"/js/**",
"/css/**",
"/img/**")
.permitAll()
.anyRequest().
authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/home")
.permitAll()
.and()
.logout()
.permitAll();
}
// @Autowired
// public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// auth
// .inMemoryAuthentication()
// .withUser("test")
// .password("hello")
// .roles("USER");
// }
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(passwordEncoder);
}
}
确保将具有角色的用户存储在数据库中ROLE_ADMIN和ROLE_USER
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers( "/login", "/js/**", "/css/**", "/img/**").permitAll() // allow users access to any files in js, css, and img directories
.antMatchers("/register").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login")
.defaultSuccessUrl("/home").permitAll()
.and()
.logout().permitAll();
}