英文:
403 forbidden - Spring Security
问题
我正在尝试使用Spring Security来保护我的网站,但我一直收到403 Forbidden
错误。我已经在网上看过许多帖子,但没有一个适用于我的情况。
我正在使用Springboot构建后端REST API,并使用Postman进行测试。
我已经禁用了 http.csrf().disable();
但仍然出现403错误
。
我可以访问所有用户都有权限的部分,它也能识别出我输入的错误凭据,但当我尝试访问只有具有ADMIN
或USER
角色的用户才能访问的部分时,立即出现以下错误。
{
"timestamp": "2020-08-30T02:08:36.033+00:00",
"status": 403,
"error": "Forbidden",
"message": "",
"path": "/secure/auth/addUser"
}
SecurityConfiguration.java
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(encodePWD());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/rest/**").permitAll()
.and()
.authorizeRequests()
.antMatchers("/secure/**").hasAnyRole("ADMIN")
.anyRequest().authenticated()
.and()
.formLogin()
.permitAll();
}
@Bean
public BCryptPasswordEncoder encodePWD() {
return new BCryptPasswordEncoder();
}
}
CustomUserDetailsService.java
@Service
public class CustomUserDetailsService implements UserDetailsService {
@Autowired
private UserRepository userRepository;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepository.findByUsername(username);
CustomUserDetails userDetails = null;
if(user != null){
userDetails = new CustomUserDetails();
userDetails.setUser(user);
}else{
throw new UserNotFoundException("User doesn't exist with this username: " + username);
}
return userDetails;
}
}
CustomUserDetails.java
@Getter
@Setter
public class CustomUserDetails implements UserDetails {
private User user;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return user.getRoles().stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role)).collect(Collectors.toSet());
}
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public String getUsername() {
return user.getUsername();
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
UserController.java
@RequestMapping("/secure/auth/")
public class UserController {
@Autowired
private BCryptPasswordEncoder passwordEncoder;
@PreAuthorize("hasAnyRole('ADMIN')")
// POST method for adding one user
@PostMapping("/addUser")
public User addUser(@RequestBody User user){
String pwd = user.getPassword();
String encriptPwd = passwordEncoder.encode(pwd);
user.setPassword(encriptPwd);
return service.saveUser(user);
}
//other code needed
}
BookContoller.java
@RestController
@RequestMapping("/rest/auth")
public class BookContoller {
@Autowired
private BookService service;
// GET method display all books
@GetMapping("/books")
public List<Book> findAllBooks(){
return service.getAllBooks();
}
}
更新
当我调试以下代码部分时:
return user.getRoles().stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role)).collect(Collectors.toSet());
我得到了我用来登录的用户:
User(id=1, name=chad, surname=huskins, username=chad, email=chad.huskins@gmail.com, password=$2a$10$SMH1T6fQ4HqzTAop.XOR/eDlfKzyjSkGGsT/qDCy1JYnncpdkqv32, roles=[Role(id=1, role=ADMIN)])
User.java
public class User {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Integer id;
private String name;
private String surname;
private String username;
private String email;
private String password;
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
@JoinTable(name = "user_role", joinColumns = @JoinColumn(name = "user_id"), inverseJoinColumns = @JoinColumn(name = "role_id"))
private Set<Role> roles;
public Set<Role> getRoles() {
return roles;
}
public void setRoles(Set<Role> roles) {
this.roles = roles;
}
}
Role.java
@Table(name = "Roles")
public class Role {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Integer id;
private String role;
}
英文:
I'm trying to secure my website using Spring security but I am keep getting 403 Forbidden
error. I have seen many posts online but none was applying for my situation.
I am building a backend RESTapi using Springboot and I am testing it with Postman.
I have disabled http.csrf().disable();
but still 403 error
is there.
I can access part where all users have permition It also recognizes if I put bad credentials but when I try to access part where only user with role ADMIN
or USER
have access I immediately have following error.
{
"timestamp": "2020-08-30T02:08:36.033+00:00",
"status": 403,
"error": "Forbidden",
"message": "",
"path": "/secure/auth/addUser"
}
SecurityConfiguration.java
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(encodePWD());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/rest/**").permitAll()
.and()
.authorizeRequests()
.antMatchers("/secure/**").hasAnyRole("ADMIN")
.anyRequest().authenticated()
.and()
.formLogin()
.permitAll();
}
@Bean
public BCryptPasswordEncoder encodePWD() {
return new BCryptPasswordEncoder();
}
}
CustomUserDetailsService.java
@Service
public class CustomUserDetailsService implements UserDetailsService {
@Autowired
private UserRepository userRepository;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepository.findByUsername(username);
CustomUserDetails userDetails = null;
if(user != null){
userDetails = new CustomUserDetails();
userDetails.setUser(user);
}else{
throw new UserNotFoundException("User doesn't exist with this username: " + username);
}
return userDetails;
}
}
CustomUserDetails.java
@Getter
@Setter
public class CustomUserDetails implements UserDetails {
private User user;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return user.getRoles().stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role)).collect(Collectors.toSet());
}
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public String getUsername() {
return user.getUsername();
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
UserController. java
@RequestMapping("/secure/auth/")
public class UserController {
@Autowired
private BCryptPasswordEncoder passwordEncoder;
@PreAuthorize("hasAnyRole('ADMIN')")
//POST method for adding one user
@PostMapping("/addUser")
public User addUser(@RequestBody User user){
String pwd = user.getPassword();
String encriptPwd = passwordEncoder.encode(pwd);
user.setPassword(encriptPwd);
return service.saveUser(user);
}
//other code needed
}
BookContoller.java
@RestController
@RequestMapping("/rest/auth")
public class BookContoller {
@Autowired
private BookService service;
//GET method display all books
@GetMapping("/books")
public List<Book> findAllBooks(){
return service.getAllBooks();
}
UPDATE
When I debug part of code with
return user.getRoles().stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role)).collect(Collectors.toSet());
I get back User that I am using to log in...
User(id=1, name=chad, surname=huskins, username=chad, email=chad.huskins@gmail.com, password=$2a$10$SMH1T6fQ4HqzTAop.XOR/eDlfKzyjSkGGsT/qDCy1JYnncpdkqv32, roles=[Role(id=1, role=ADMIN)])
User.java
public class User {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Integer id;
private String name;
private String surname;
private String username;
private String email;
private String password;
//@OneToMany(mappedBy = "user", cascade = CascadeType.ALL)
//private List<Rent> rent = new ArrayList<>();
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
@JoinTable(name = "user_role", joinColumns = @JoinColumn(name = "user_id"), inverseJoinColumns = @JoinColumn(name = "role_id"))
private Set<Role> roles;
public Set<Role> getRoles() {
return roles;
}
public void setRoles(Set<Role> roles) {
this.roles = roles;
}
}
Role.java
@Table(name = "Roles")
public class Role {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Integer id;
private String role;
}
答案1
得分: 1
使用new SimpleGrantedAuthority("ROLE_" + role.getRole()))
替代new SimpleGrantedAuthority("ROLE_" + role))
英文:
Use new SimpleGrantedAuthority("ROLE_" + role.getRole()))
instead of new SimpleGrantedAuthority("ROLE_" + role))
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论