使用配置类时,使用@PreAuthorize或@Secured与Jersey

Question

使用配置类时,使用@PreAuthorize或@Secured与Jersey

use*_*736 5 java rest spring jersey spring-security

我遇到类似于PreAuthorize注释的问题不适用于球衣.我为Spring Security创建了一个配置类,并且身份验证有效,但授权却没有.

这是我的代码

SpringSecurityConfig.java

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Order(1)
@ComponentScan({"com.foo.rest.resources.Template"})
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

    private final UserService userService;
    private final TokenAuthenticationService tokenAuthenticationService;

    public SpringSecurityConfig() {
        super(true);
        this.userService = new UserService();
        tokenAuthenticationService = new TokenAuthenticationService("tooManySecrets", userService);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
            http
                .exceptionHandling().and()
                .anonymous().and()
                .servletApi().and()
                .headers().cacheControl().and()
                .authorizeRequests()
                // Allow anonymous logins
                .antMatchers("/auth/**").permitAll()
                // All other request need to be authenticated
                .anyRequest().authenticated().and()

                // Custom Token based authentication based on the header previously given to the client
                .addFilterBefore(new StatelessAuthenticationFilter(tokenAuthenticationService),
                        UsernamePasswordAuthenticationFilter.class);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService()).passwordEncoder(new BCryptPasswordEncoder());
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    @Override
    public UserService userDetailsService() {
        return userService;
    }

    @Bean
    public TokenAuthenticationService tokenAuthenticationService() {
        return tokenAuthenticationService;
    }
}

Run Code Online (Sandbox Code Playgroud)

和Template.java

@Component
@Path("/template")
@Produces(MediaType.APPLICATION_JSON)
public class Template {

    @GET
    @Secured("ROLE_EDITOR")
    public User getTemplate() {
        return new Template();
    }
}

Run Code Online (Sandbox Code Playgroud)

我的猜测是,身份验证是在过滤器链中处理的,但在达到授权标记后它永远不会回来.知道如何使这项工作？

Answer 1

sha*_*zin 1

我认为您的@ComponentScan配置错误并且没有Template正确选择资源。

根据@ComponentScan文档，该值是别名basePackages，但您给出了类而不是包。尝试将其更改为如下所示并查看。

@ComponentScan({"com.foo.rest.resources.*"})

Run Code Online (Sandbox Code Playgroud)

并确保您没有错过 Jersey Spring Integration 中文档中的任何步骤

归档时间：	9 年，2 月前
查看次数：	817 次
最近记录：	9 年，2 月前