我有自定义身份验证筛选器,它创建PreAuthenticatedAuthenticationToken并将其存储在安全上下文中.过滤器工作正常,它使用适当的授权权限"ROLE_user"和"ROLE_adminuser"创建令牌.这是我的配置:
@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
X509AuthenticationFilter filter = new X509AuthenticationFilter()
filter.setAuthenticationManager(authenticationManager())
http.addFilterAfter(filter, SecurityContextPersistenceFilter.class)
http.authorizeRequests().anyRequest().permitAll()
}
@Bean
public FilterRegistrationBean filterRegistrationBean() {
FilterRegistrationBean registrationBean = new FilterRegistrationBean()
X509AuthenticationFilter filter = new X509AuthenticationFilter()
filter.setAuthenticationManager(authenticationManager())
registrationBean.setFilter(filter)
registrationBean.setEnabled(false)
return registrationBean
}
我在SecurityContextPersistenceFilter之前插入Filter,如下所述:Spring安全性和自定义AuthenticationFilter与Spring启动.
但是,当我尝试将PreAuthorize注释添加到我的控制器方法时,这似乎工作正常,如下所示:
@Controller
@RequestMapping("/security")
class SecurityController {
@RequestMapping("/authenticate")
@PreAuthorize("hasRole('ROLE_user')")
@ResponseBody
ResponseEntity<String> authenticate(HttpServletRequest request, Principal principal) {
println "authenticate: " + SecurityContextHolder.getContext().getAuthentication()
return new ResponseEntity<String>(getPreAuthenticatedPrincipal(request), HttpStatus.OK)
}
我收到404错误.如果我注释掉PreAuthorize注释,则方法调用有效,您可以看到我打印出身份验证信息,并且经过身份验证的用户已为其授予的权限使用ROLE_user和ROLE_adminuser.我不确定我做错了什么. …