如何检查Java代码中的用户权限或权限?例如 - 我想根据角色为用户显示或隐藏按钮.有注释,如:
@PreAuthorize("hasRole('ROLE_USER')")
如何在Java代码中创建它?就像是 :
if(somethingHere.hasRole("ROLE_MANAGER")) {
layout.addComponent(new Button("Edit users"));
}
我在Web Security Config中有这个代码:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/**")
.hasRole("ADMIN")
.and()
.httpBasic().and().csrf().disable();
}
所以我在我的数据库中添加了一个具有"ADMIN"角色的用户,当我尝试使用此用户登录时,我总是得到403错误,然后我启用了spring for log,我找到了这一行:
2015-10-18 23:13:24.112 DEBUG 4899 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/user/login; Attributes: [hasRole('ROLE_ADMIN')]
为什么Spring Security正在寻找"ROLE_ADMIN"而不是"ADMIN"?
我的Spring Boot应用程序可以运行Spring Security 3.2.7.RELEASE.现在,我想将其更新为4.0.2.RELEASE.
经过几个小时的调试后,我发现Spring Security 4.0.2.RELEASE使用了 defaultRolePrefix="ROLE_"
在
org.springframework.security.access.expression.SecurityExpressionRoot.hasAnyAuthorityName(String prefix, String... roles) 方法
在我的应用程序中,我使用没有此前缀的角色,因此我得到了AccessDeniedException.
如何配置Spring Boot才能使用SecurityExpressionRoot.defaultRolePrefix=""?
我有一个基本的SpringBoot应用程序.使用Spring Initializer,嵌入式Tomcat,Thymeleaf模板引擎和包作为可执行的JAR文件.
我想保护一个控制器:
@Controller
@RequestMapping("/company")
@RolesAllowed({"ROLE_ADMIN"})
@PreAuthorize("hasRole('ADMIN')")
@Secured("ADMIN")
public class CompanyController {
}
我知道有不同的选择,但我真的不知道应该使用哪种
在我正在工作的项目中,我们基于角色ID而不是角色描述进行身份验证,并且此映射存储在数据库中.
我的问题是,如何删除Spring Security的RoleVoter前缀以实现上述设计?
经过调试,问题是mvc配置类EnableWebMvcConfiguration加载太早,servlet尚未加载.
org.springframework.beans.factory.BeanCreationException:在类路径资源中定义名为'resourceHandlerMapping'的bean时出错[org/springframework/boot/autoconfigure/web/servlet/WebMvcAutoConfiguration $ EnableWebMvcConfiguration.class]:通过工厂方法进行的Bean实例化失败; 嵌套异常是org.springframework.beans.BeanInstantiationException:无法实例化[org.springframework.web.servlet.HandlerMapping]:工厂方法'resourceHandlerMapping'抛出异常; 嵌套异常是java.lang.IllegalStateException:没有在org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:587)设置的ServletContext~ [spring-beans-5.0.4.RELEASE.jar:5.0.4 .RELEASE] org.springframework.beans上的org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1250)~ [spring-beans-5.0.4.RELEASE.jar:5.0.4.RELEASE] .factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1099)〜[spring-beans-5.0.4.RELEASE.jar:5.0.4.RELEASE] at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(在Org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:502)〜[spring]的AbstractAutowireCapableBeanFactory.java:545)~ [spring-beans-5.0.4.RELEASE.jar:5.0.4.RELEASE] -beans-5.0.4.RELEASE.jar:5.0.4.RELEASE]在org.springframework.beans.factory.support.AbstractBeanFactory.lambda $ doGetBean $ 0(AbstractBeanFactory.java:312)〜[spring-beans-5.0.4.RELEASE.jar:5.0.4.RELEASE] at org.springframework.beans.factory.support.AbstractBeanFactory $$ Lambda $ 125/98506158.getObject(Unknown Source)〜[na:na] at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:228 )〜[spring-beans-5.0.4.RELEASE.jar:5.0.4.RELEASE]在org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:310)〜[spring-beans-5.0. 4.RELEASE.jar:5.0.4.RELEASE]在org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:200)〜[spring-beans-5.0.4.RELEASE.jar:5.0.4 .rELEASE] org.springframework.context上的org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:760)~ [spring-beans-5.0.4.RELEASE.jar:5.0.4.RELEASE] .support.Abs org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:549)中的tractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:868)〜[spring-context-5.0.4.RELEASE.jar:5.0.4.RELEASE]〜 [spring-context-5.0.4.RELEASE.jar:5.0.4.RELEASE]在org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:140)〜[spring-boot-2.0. 0.RC2.jar:2.0.0.RC2] org.springframework.boot.SpringApplication.refresh(SpringApplication.java:752)[spring-boot-2.0.0.RC2.jar:2.0.0.RC2] at org .springframework.boot.SpringApplication.refreshContext(SpringApplication.java:388)[spring-boot-2.0.0.RC2.jar:2.0.0.RC2] org.springframework.boot.SpringApplication.run(SpringApplication.java:327 )[spring-boot-2.0.0.RC2.jar:2.0.0.RC2] org.springframework.boot.SpringApplication.run(SpringApplication.java:1246)[spring-boot-2.0.0.RC2.jar: 2.0.0.RC2]在org.springframework.boot.SpringApplica 在com.manway.BccApplication.main(BccApplication.java:16)[main /:na]的.prun(SpringApplication.java:1234)[spring-boot-2.0.0.RC2.jar:2.0.0.RC2]在sun.reflect.DelegatingMethodAccessorImpl的sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)〜[na:1.8.0_40] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)〜[na:1.8.0_40].在org.springframework.boot.devtools的java.lang.reflect.Method.invoke(Method.java:497)〜[na:1.8.0_40]中调用(DelegatingMethodAccessorImpl.java:43)〜[na:1.8.0_40]. restart.RestartLauncher.run(RestartLauncher.java:49)[spring-boot-devtools-2.0.0.RC2.jar:2.0.0.RC2]引起:org.springframework.beans.BeanInstantiationException:无法实例化[org. springframework.web.servlet.HandlerMapping]:工厂方法'resourceHandlerMapping'抛出异常; 嵌套异常是java.lang.IllegalStateException:没有在org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185)〜[spring-beans-5.0.4.RELEASE.jar:5.0.4中设置的ServletContext .RELEASE]在org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:579)〜[spring-beans-5.0.4.RELEASE.jar:5.0.4.RELEASE] ... 24个常见框架省略:java.lang.IllegalStateException:在org.springframework.util.Assert.state(Assert.java:73)中没有设置ServletContext~ [spring-core-5.0.4.RELEASE.jar:5.0.4.RELEASE] org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport.resourceHandlerMapping(WebMvcConfigurationSupport.java:485)〜[spring-webmvc-5.0.4.RELEASE.jar:5.0.4.RELEASE] org.springframework.boot. autoconfigure.web.servlet.WebMvcAutoConfiguration $ EnableWebMvcConfiguration $$ EnhancerBySpringCGLIB $$ 5de64506.CGLIB $ resourceHandlerMapping $ 40()〜[spring-boot-autoconf 在org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration $ EnableNetMvcConfiguration $$ EnhancerBySpringCGLIB $$ 5de64506 $$ FastClassBySpringCGLIB $$ …
一些背景:我们有一个集成测试类,用于测试与 Spring 授权一起使用的常量 SPEL 字符串。简单的例子:
@SpringBootTest
@RunWith(SpringRunner.class)
public class HasRoleConstantsTest {
@Test
@WithMockUser(username = "uname", roles = "ADMIN")
public void test() {
// just calling some test method with appropriate annotation
}
}
前面提到的常量的用法如下:
@PreAuthorize(PREDEFINED_AUTHORIZATION_RULE)
其中常量可能是一些更复杂的检查,例如:
public static final String PREDEFINED_AUTHORIZATION_RULE =
"hasRole('ADMIN') OR (hasRole('MAINTAINER') AND hasRole('#id'))"
我们已经按照此处WebSecurityConfiguration的建议进行了配置,因此添加了如下 bean:
@Bean
GrantedAuthorityDefaults grantedAuthorityDefaults() {
return new GrantedAuthorityDefaults(""); // Remove the ROLE_ prefix
}
一切都像魅力一样,除了帖子顶部所示的测试失败,因为在测试环境中 Spring security 仍然向每个模拟用户角色添加前缀ROLE_ 。
有人可以阐明如何配置测试类,或者 - 例如 - 应该如何SecurityContext操作以在测试中删除此前缀?