使用 mongodb PostAuthorize 和 PreAuthorize 的 Spring Boot 安全性不起作用

Posted 2023-02-26

【中文标题】使用 mongodb PostAuthorize 和 PreAuthorize 的 Spring Boot 安全性不起作用

【英文标题】：spring boot security with mongodb PostAuthorize and PreAuthorize not working

【发布时间】：2017-01-10 02:17:24

【问题描述】：

身份验证有效，但授权无效。请帮助我找不到问题所在。

控制器

@RestController
@RequestMapping("/v1/user")
public class UserController 

    @PostAuthorize("hasRole('ROLE_ADMIN')") //@PreAuthorize("hasRole('ROLE_ADMIN')"), both are not working
    @RequestMapping(method = RequestMethod.DELETE)
    @ResponseStatus(HttpStatus.NO_CONTENT)
    public void deleteUser() 
        log.debug("Only Admin can access this");

        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        System.out.println("User name "+auth.getName()); //prints - User name pratap
        System.out.println("User Authorities "+auth.getAuthorities()); // prints - User Authorities [ADMIN]
    

SecurityConfiguration.java

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter 

    @Autowired
    private CustomUserDetailsService customUserDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception 

        http.authorizeRequests().anyRequest().fullyAuthenticated().and().
                httpBasic().and().
                csrf().disable();
    

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception 
        auth.userDetailsService(customUserDetailsService);
    

CustomUserDetailsS​​ervice.java

@Service
public class CustomUserDetailsService implements UserDetailsService 

    @Autowired
    private UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException 
        User user = userRepository.findByUsername(username);
        System.out.println("username "+user.getUsername());
        if(user != null) 
            return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), true, true, true, true,
                    AuthorityUtils.createAuthorityList("ADMIN"));
         else 
            throw new UsernameNotFoundException("could not find the user '"
                    + username + "'");
        
    

错误：

  "timestamp": 1472789456591,
  "status": 403,
  "error": "Forbidden",
  "message": "Access is denied",
  "path": "/v1/user/pratap"

【问题讨论】：

授权不起作用意味着什么？您是否收到 403 错误？

@sivaprasadreddy.k 是的，我收到了 403 Forbidden

【参考方案1】：

我明白了。添加角色时，应以“ROLE_”为前缀

AuthorityUtils.createAuthorityList("ROLE_ADMIN", "ROLE_USER"));

在@PreAuthorize 中，它应该没有前缀“ROLE_”

@PreAuthorize("hasRole('ADMIN')")