小贝子编程

如何在春季安全性和弹簧数据JPA中使用Jersey Rest修复403



我从使用Spring Security的JDBC身份验证的REST API中获得403。

我已经使用spring靴子编写了简单的Restful API,并尝试使用inMemoryAuthentication()方法实现Spring Security,这很好。但是,当我切换到jdbcAuthentication()方法时,我将获得403的禁止,因为我使用Postman的有效凭据进行服务。我不知道我做错了。

@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter{
    @Autowired
    DataSource dataSource; 
    @Override
    protected void configure(HttpSecurity http) throws Exception{
        http.csrf().disable()
        .httpBasic()
        .and()
        .authorizeRequests()
        .antMatchers("/jersey/**").hasRole("USER")
        .antMatchers("/console/**").permitAll()
        .and()
        .headers().frameOptions().disable();
        //.anyRequest().permitAll();
    }
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication().dataSource(dataSource)
        .authoritiesByUsernameQuery("select USERNAME, ROLE from EMPLOYEE where USERNAME=?")
        .usersByUsernameQuery("select USERNAME, PASSWORD , 1 as enabled from EMPLOYEE where USERNAME=?");
    }
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

data.sql
INSERT INTO EMPLOYEE VALUES ('lalit','$2a$10$TV//Fu/4UwMTIqnPbkahqeMNjrrF1YQT1MdEwNDvaHurH5wR7ZLnm','USER');

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-jersey</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>com.h2database</groupId>
            <artifactId>h2</artifactId>
        </dependency>

update 

error log:
2019-05-24 19:46:21.703 DEBUG 11724 --- [nio-8088-exec-2] o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@f9c70a69: Principal: org.springframework.security.core.userdetails.User@61fa502: Username: lalit; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: USER
2019-05-24 19:46:21.706 DEBUG 11724 --- [nio-8088-exec-2] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@4a78101b, returned: -1
2019-05-24 19:46:21.713 DEBUG 11724 --- [nio-8088-exec-2] o.s.s.w.a.ExceptionTranslationFilter     : Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.1.5.RELEASE.jar:5.1.5.RELEASE]
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.1.5.RELEASE.jar:5.1.5.RELEASE]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
...

这是我与有效的凭据一起使用服务时得到的。

HTTP状态403 - 禁止

您被禁止403,因为春季安全性可能在DB中发现了与" cole_user"的角色不同的角色,同时访问具有/jersey/的任何映射。

还可以查看以下配置。这可能是密码编码器所需的编码。

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.jdbcAuthentication()
            .dataSource(dataSource)
            .passwordEncoder(passwordEncoder())
            .authoritiesByUsernameQuery("select USERNAME, ROLE from EMPLOYEE where USERNAME=?")
            .usersByUsernameQuery("select USERNAME, PASSWORD , 1 as enabled from EMPLOYEE where USERNAME=?");
}

update

将角色保存为" cole_user"而不是"用户"

当您的错误日志说凭据以前已进行了认证,您需要在尝试再次登录之前删除浏览器的cookie,或者只需打开一个新的Incognito选项卡。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium