英文:
Problem protecting endpoints using antMatchers in Spring security(Spring Boot 3.0.7 & JDK 17)
问题
我想要在/api/v1/posts/1上执行的删除操作仅由管理员执行。
以下是代码部分:
我的Bean是:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception{
httpSecurity
.cors()
.and()
.csrf()
.disable()
.authorizeRequests()
.antMatchers(HttpMethod.DELETE, "/api/v1/posts/{id}").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
httpSecurity.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
return httpSecurity.build();
}
以下一行代码有一个我不理解的编译错误:
httpSecurity.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
英文:
I want delete operations on /api/v1/posts/1 to be performed by only ADMIN.
Here is the code .antMatchers(HttpMethod.DELETE, "/api/v1/posts/{id}").hasRole("ADMIN")
My Bean is:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception{
httpSecurity
.cors()
.and()
.csrf()
.disable()
.authorizeRequests()
.antMatchers(HttpMethod.DELETE, "/api/v1/posts/{id}").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
httpSecurity.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
return httpSecurity.build();
}
The line following has a compile error that I don't understand
httpSecurity.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
答案1
得分: 4
在Spring Security 6.0(与Spring Boot 3一起),antMatchers
,mvcMatchers()
,and()
,以及其他几种方法都已被弃用。提供了一个名为requestMatchers
的方法,以及它们的Customizer
方法来配置输入参数。这些都似乎是您的代码存在的问题,请更新并阅读文档,然后更新您的代码!
以下是您的代码的修复,实现了上述所有内容:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.cors(withDefaults())
.csrf(csrf -> csrf.disable())
.authorizeRequests(authorize -> authorize
.requestMatchers(HttpMethod.DELETE, "/api/v1/posts/{id}")
.hasRole("ADMIN")
.anyRequest()
.authenticated())
.sessionManagement(sessionManagement -> sessionManagement
.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
return httpSecurity.build();
}
英文:
In Spring Security 6.0 (so along with Spring Boot 3), antMatchers
, mvcMatchers()
,and()
, and as well as several other methods were deprecated. A method requestMatchers
was provided, along with their Customizer
approach of configuring input arguments. These all seem to be issues with your code, please update and read the documentation and update your code!
The following should be a fix to your code implementing all of the above:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception{
httpSecurity
.cors(withDefaults())
.csrf(csrf->csrf.disable())
.authorizeRequests(authorize->authorize
.requestMatchers(HttpMethod.DELETE, "/api/v1/posts/{id}")
.hasRole("ADMIN")
.anyRequest()
.authenticated())
.sessionManagement(sessionManagement -> sessionManagement
.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
return httpSecurity.build();
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论