我正在使用 Java Spring Boot 编写一个基本的 Web 应用程序,目前我的用户在我的数据库中的角色以及对应用程序不同部分的访问存在问题。用户可以具有“ADMIN”或“USER”角色。这两个角色所允许的唯一区别是 ADMIN 能够访问“/register”页面,而角色 USER 中的其他人则不能。我已经在下面发布了我的 http 配置方法的代码,但不确定我哪里出错了。我希望所有用户都能够访问登录页面,并且只有管理员才能访问“/注册”页面。我遇到的问题是,到目前为止,出于某种原因,我的应用程序的“/home”页面甚至无需登录就可以看到。使用下面的内容登录没有被强制执行。
package bcoreHW.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
import bcoreHW.service.UserService;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserService userService;
@Autowired
private PasswordEncoder passwordEncoder;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers( // allow users access to any files in js, css, and img directories
"/login",
"/js/**",
"/css/**",
"/img/**")
.permitAll()
.antMatchers("/register")
.hasRole("ADMIN")
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/home")
.permitAll()
.and()
.logout()
.permitAll();
}
// @Autowired
// public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// auth
// .inMemoryAuthentication()
// .withUser("test")
// .password("hello")
// .roles("USER");
// }
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(passwordEncoder);
}
}
但是,如果我将 configure() 方法更改为下面的方法,则至少用户被迫登录,并且那里的权限在“单击”的基础上是正确的,但我仍然可以转到地址栏并在 USER 角色下搜索“/register”,这就是我尝试实现我发布的第一段代码的原因。两者都没有工作,并希望得到一些帮助。
package bcoreHW.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
import bcoreHW.service.UserService;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserService userService;
@Autowired
private PasswordEncoder passwordEncoder;
@Override
protected void configure(HttpSecurity http) throws Exception {
//@formatter:off
http
.authorizeRequests()
.antMatchers( // allow users access to any files in js, css, and img directories
"/login",
"/js/**",
"/css/**",
"/img/**")
.permitAll()
.anyRequest().
authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/home")
.permitAll()
.and()
.logout()
.permitAll();
}
// @Autowired
// public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// auth
// .inMemoryAuthentication()
// .withUser("test")
// .password("hello")
// .roles("USER");
// }
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(passwordEncoder);
}
}