在使用Spring Security保护端点时遇到问题(Spring Boot 3.0.7和JDK 17)。

huangapple go评论70阅读模式
英文:

Problem protecting endpoints using antMatchers in Spring security(Spring Boot 3.0.7 & JDK 17)

问题

我想要在/api/v1/posts/1上执行的删除操作仅由管理员执行。
以下是代码部分:

我的Bean是:

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception{
    httpSecurity
            .cors()
            .and()
            .csrf()
            .disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.DELETE, "/api/v1/posts/{id}").hasRole("ADMIN")
            .anyRequest().authenticated()
            .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    httpSecurity.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);

    return httpSecurity.build();
}

以下一行代码有一个我不理解的编译错误:

httpSecurity.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
英文:

I want delete operations on /api/v1/posts/1 to be performed by only ADMIN.
Here is the code .antMatchers(HttpMethod.DELETE, "/api/v1/posts/{id}").hasRole("ADMIN")

My Bean is:

@Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception{
        httpSecurity
                .cors()
                .and()
                .csrf()
                .disable()
                .authorizeRequests()
                .antMatchers(HttpMethod.DELETE, "/api/v1/posts/{id}").hasRole("ADMIN")
                .anyRequest().authenticated()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        httpSecurity.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);

        return httpSecurity.build();
    }

The line following has a compile error that I don't understand

 httpSecurity.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);

答案1

得分: 4

在Spring Security 6.0(与Spring Boot 3一起),antMatchersmvcMatchers()and(),以及其他几种方法都已被弃用。提供了一个名为requestMatchers的方法,以及它们的Customizer方法来配置输入参数。这些都似乎是您的代码存在的问题,请更新并阅读文档,然后更新您的代码!

以下是您的代码的修复,实现了上述所有内容:

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
            .cors(withDefaults())
            .csrf(csrf -> csrf.disable())
            .authorizeRequests(authorize -> authorize
                 .requestMatchers(HttpMethod.DELETE, "/api/v1/posts/{id}")
                 .hasRole("ADMIN")
                 .anyRequest()
                 .authenticated())
            .sessionManagement(sessionManagement -> sessionManagement
                 .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);

    return httpSecurity.build();
}
英文:

In Spring Security 6.0 (so along with Spring Boot 3), antMatchers, mvcMatchers(),and(), and as well as several other methods were deprecated. A method requestMatchers was provided, along with their Customizer approach of configuring input arguments. These all seem to be issues with your code, please update and read the documentation and update your code!

The following should be a fix to your code implementing all of the above:

@Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception{
        httpSecurity
                .cors(withDefaults())
                .csrf(csrf->csrf.disable())
                .authorizeRequests(authorize->authorize
                     .requestMatchers(HttpMethod.DELETE, "/api/v1/posts/{id}")
                     .hasRole("ADMIN")
                     .anyRequest()
                     .authenticated())
                .sessionManagement(sessionManagement -> sessionManagement
                     .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);

        return httpSecurity.build();
    }

huangapple
  • 本文由 发表于 2023年6月22日 13:24:40
  • 转载请务必保留本文链接:https://go.coder-hub.com/76528804.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定