Spring安全配置类
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
private UserDetailsService userDetailsService;
@Bean
public PasswordEncoder getPasswordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.authorizeRequests()
.antMatchers("/user", "/login").permitAll()
.antMatchers("/employee", "/insurance").hasRole("User")
.anyRequest()
.authenticated()
.and()
.httpBasic()
.and()
.csrf().disable();
}
protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(getPasswordEncoder());
}
}
UserDetailsService实现类
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
@Autowired
private UserService userService;
@Override
public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {
User user = null;
Set<GrantedAuthority> grantedAuthorities = null;
try
{
user = userService.findByUserName(userName);
if(user == null)
throw new UsernameNotFoundException("User " + userName + " not available");
grantedAuthorities = new HashSet<>();
for(Role role: user.getRoles()) {
grantedAuthorities.add(new SimpleGrantedAuthority(role.getRole().toString()));
}
}
catch(Exception exp) {
exp.printStackTrace();
}
return new org.springframework.security.core.userdetails.User(user.getUserName(), user.getPassword(), grantedAuthorities);
}
}
员工休息控制器类
@RestController
public class EmployeeController {
@Autowired
private EmployeeService employeeService;
@Autowired
private InsuranceService insuranceService;
@PostMapping("/employee")
public ResponseEntity<Employee> create(@RequestBody Employee employee) throws Exception {
employee = employeeService.create(employee);
return new ResponseEntity<Employee>(employee, HttpStatus.CREATED);
}
@PutMapping("/employee")
public ResponseEntity<Employee> update(@RequestBody Employee employee) throws Exception {
employee = employeeService.update(employee);
return new ResponseEntity<Employee>(employee, HttpStatus.OK);
}
@DeleteMapping("/employee/{id}")
public ResponseEntity<String> delete(@PathVariable("id") long id) throws Exception {
employeeService.delete(id);
return new ResponseEntity<String>("Employee deleted successfully", HttpStatus.OK);
}
@GetMapping("/employee/{id}")
public ResponseEntity<Employee> findEmployeeDetails(@PathVariable("id") long id) throws Exception {
Employee employee = employeeService.findById(id);
return new ResponseEntity<Employee>(employee, HttpStatus.OK);
}
@GetMapping("/employee")
public ResponseEntity<List<Employee>> findAll() throws Exception {
List<Employee> employees = employeeService.findAll();
return new ResponseEntity<List<Employee>>(employees, HttpStatus.OK);
}
}
我在使用Postman向/employee URL提交任何HTTP请求方法(POST/GET/PUT)时都会收到403禁止错误。
{
"timestamp": "2019-09-17T05:37:35.778+0000",
"status": 403,
"error": "Forbidden",
"message": "Forbidden",
"path": "/hr-core/employee"
}
我使用POSTMAN发送HTTP请求时,在basic auth header(Authorization)中正确填写了用户名和密码,但仍然出现此错误。该用户拥有访问/employee REST端点的USER和ADMIN角色。我已在http安全性中禁用了CSRF。
你可以如何解决这个错误?