1

我想要休息的基本安全,这是我的配置:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private PacijentUserDetailsService pacijent;
@Autowired
private FizioterapeutUserDetailsService fizioterapeut;
@Autowired
private FizijatarUserDetailsService fizijatar;

@Override
protected void configure(AuthenticationManagerBuilder
        auth) throws Exception {
        auth.userDetailsService(pacijent)
        .passwordEncoder(new
        BCryptPasswordEncoder());
        auth.userDetailsService(fizioterapeut).passwordEncoder(new
        BCryptPasswordEncoder());
        auth.userDetailsService(fizijatar).passwordEncoder(new
        BCryptPasswordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception
{
    http
    .sessionManagement()
    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    .and()
    .authorizeRequests()
    .antMatchers("/pacijent/", "/fizijatar/","/fizioterapeut/").permitAll()
    .antMatchers("/pacijent/**","/fizijatar/**","/fizioterapeut/**").authenticated()
    .and()
    .httpBasic()
    .realmName("Ordinacija")
    .and()
    .csrf()
    .disable();

  }
  @Bean
   @Override
  public AuthenticationManager authenticationManagerBean() throws Exception          {
    return super.authenticationManagerBean();
}

}

我有 3 个 userdetailservice 的实现,这是一个例子:

  @Component
 public class PacijentUserDetailsService implements UserDetailsService {

@Autowired
private PacijentService pacijentService;

@Override
public UserDetails loadUserByUsername(String jmbg) throws UsernameNotFoundException {
Pacijent pacijent = pacijentService.vratiPacijenta(jmbg);
    if (pacijent == null) {
        throw new UsernameNotFoundException(String.format("Pacijent nije pronadjen", jmbg));

    }

    List<GrantedAuthority> authorities = new ArrayList<>();
    if (pacijentService.postojiPacijentPoJmbgu(jmbg)) {
        authorities = AuthorityUtils.createAuthorityList("ROLE_USER");
    }

    UserDetails userDetails = new org.springframework.security.core.userdetails.User(pacijent.getJmbg(),
            pacijent.getSifra(), authorities);
    return userDetails;
  }
}

还有我的 web xml 文件:

           <context-param>
 <param-name>contextConfigLocation</param-name>
  <param-value>/WEB-INF/dispatcher-servlet.xml</param-value>
  </context-param>

org.springframework.web.context.ContextLoaderListener

<servlet>
    <servlet-name>dispatcher</servlet-name>
    <servlet- class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>dispatcher</servlet-name>
    <url-pattern>/*</url-pattern>
</servlet-mapping>
<session-config>
    <session-timeout>
        30
    </session-timeout>
</session-config>

当我启动我的应用程序并转到具有 @PreAuthorize 方法的 rest 方法时,我有错误 500:请求处理失败;嵌套异常是 org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:在 SecurityContex 中找不到 Authentication 对象。

4

2 回答 2

0

尝试像这样更改您的配置。

.authorizeRequests()
.antMatchers(permitAllEndpointList.toArray(new String[permitAllEndpointList.size()]))
.permitAll()
.and()
.authorizeRequests()
.antMatchers(API_ROOT_URL).authenticated()

我希望这能解决你的问题。

于 2019-04-27T12:25:34.097 回答
0

我写答案是为了帮助别人。如果你有一个像 OncePerRequestFilter 这样的过滤器来检查身份验证,那么当你检查身份验证并且它失败时,你可以设置这个:

  response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
  response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");

否则,如果您让管理身份验证到 spring 您可以使用异常处理程序:

@ControllerAdvice
@RestController
public class CustomExceptionHandler extends ResponseEntityExceptionHandler {
@ExceptionHandler({AccessDeniedException.class})
    public final
            ResponseEntity<Object> handleUserNotFoundException(EntityNotFoundException ex, WebRequest request){
        return new ResponseEntity<>("Unauthorized", HttpStatus.UNAUTHORIZED);
    }
}

于 2019-04-27T12:09:34.963 回答