1. 首页
  2. 问答
  3. 如何在春季使用基于表达式的访问控制?

如何在春季使用基于表达式的访问控制?

2017-07-28 58 views
0

我是新来spring.I已经创建了用户login.The用户登录方法的API包含以下代码:如何在春季使用基于表达式的访问控制?

Authentication auth =new UsernamePasswordAuthenticationToken(repo.findByEmail(user.getEmail()), null, repo.findByEmail(user.getEmail()).getAuthorities()); 

SecurityContextHolder.getContext().setAuthentication(auth); 
Principal principal= SecurityContextHolder.getContext().getAuthentication(); 
return (User) auth.getPrincipal();

登录API给了我下面的JSON:

{ 
"userId": 1, 
"userName": "ramesh khadka", 
"email": "[email protected]", 
"enabled": true, 
"role": "Manager", 
"username": "ramesh khadka", 
"authorities": [ 
    { 
     "authority": "ROLE_Manager" 
    } 
], 
"accountNonExpired": true, 
"accountNonLocked": true, 
"credentialsNonExpired": true 
}

我有另一个API来获取所有使用@PreAuthorize(“hasAuthority(‘ROLE_Manager’)”),以检查当局的用户granted.When我打电话以下消息API显示: -

{ 
"error": "unauthorized", 
"error_description": "Full authentication is required to access this resource" 
}

我无法弄清楚我做错了什么。有人可以帮我解决这个问题吗?

我AuthorizationServer是: -

@Configuration 
@EnableAuthorizationServer 
public class SecurityServer extends AuthorizationServerConfigurerAdapter { 
@Autowired 
@Qualifier("userDetailsService") 
private UserDetailsService userDetailsService; 

@Autowired 
private AuthenticationManager authenticationManager; 

@Override 
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { 
    security.checkTokenAccess("isAuthenticated()"); 
} 

@Override 
public void configure(ClientDetailsServiceConfigurer clients) throws Exception { 
    // super.configure(clients); 
    clients.inMemory() 
      .withClient("test") 
      .accessTokenValiditySeconds(3600) 
      .authorizedGrantTypes("authorization_code","refresh_token","password","client_credentials") 
      .secret("user") 
      .scopes("read", "write", "trust") 
      .redirectUris("/error") 
      .resourceIds("resource"); 
} 

@Override 
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { 
    endpoints.authenticationManager(this.authenticationManager); 
    endpoints.userDetailsService(userDetailsService); 
} 
@Bean 
public PasswordEncoder passwordEncoder() { 
    return new BCryptPasswordEncoder(); 
} 
@Bean 
public FilterRegistrationBean corsFilter() { 
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); 
    CorsConfiguration config = new CorsConfiguration(); 
    config.setAllowCredentials(true); 
    config.addAllowedOrigin("*"); 
    config.addAllowedHeader("*"); 
    config.addAllowedMethod("*"); 
    source.registerCorsConfiguration("/**", config); 
    FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source)); 
    bean.setOrder(Ordered.HIGHEST_PRECEDENCE); 
    return bean; 
}

}

来源

2017-07-28 Ramesh Khadka

+0

您可以将您的春季安全配置? –

+0

@AnupamaBoorlagadda我已经包含了我的安全代码 –

回答

0

在你的代码说明你有使用 '@PreAuthorize( “hasAuthority( 'ROLE_Manager')”)'

hasAuthority([ authority]) - >如果当前委托人具有指定的权限,则返回true。

请加“@PreAuthorize( “hasRole( '经理')”)`

@PreAuthorize("hasRole('USER')") 
public void create(Contact contact);

要么你可以用它来为他们的任何角色你 正在寻找,然后检查 hasAnyRole([role1上,role2]) - >如果当前主体有任何提供的角色(以逗号分隔的字符串列表形式给出),则返回true。默认情况下,如果提供的角色不以“ROLE_”开头,它将被添加。这可以通过修改DefaultWebSecurityExpressionHandler上的defaultRolePrefix来定制。

欲了解更多您可以参考以下链接: https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html https://dzone.com/refcardz/expression-based-authorization

来源

2017-07-28 05:20:05

相关问题

 相关问题