Spring Security，方法安全注释(@Secured)不起作用(java config) [英] Spring Security, Method Security annotation (@Secured ) is not working (java config)

问题描述

我正在尝试使用@Secured("ADMIN")(没有任何XML，只有Java配置，Spring Boot)来设置方法安全注释.但是无法通过角色进行访问.

I am trying to set up a method security annotation using @Secured("ADMIN") (without any XML, only java config, Spring Boot). But access via roles does not work.

安全配置:

@Configuration
@EnableWebSecurity
public class AppSecurityConfiguration extends WebSecurityConfigurerAdapter{

.....

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/api/**").fullyAuthenticated().and()
                .addFilterBefore(tokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
    }

.....

}

我想限制对控制器方法的访问:

I want restrict access to the method of the controller:

@RestController
@RequestMapping("/api/groups")
public class GroupController {

    @Autowired
    private GroupService groupService;

    @Secured("ADMIN")
    @RequestMapping
    public List<Group> list() {
        return groupService.findAll();
    }

}

通过url限制访问正在起作用，

Restrict access by the url is working, with:

.antMatchers("/api/**").hasAuthority("ADMIN")

也许我忘记指定要按角色进行限制了吗?

Maybe I forgot to specify that I want restrict by roles?

UPD: 根据规则，在控制器层或服务层中@PreAuthorize("hasRole('ADMIN')")必须在哪一层?

UPD: By the rules, At what layer must be @PreAuthorize("hasRole('ADMIN')") in Controller layer or in Service layer?

推荐答案

此问题已解决.

我添加@EnableGlobalMethodSecurity(prePostEnabled = true)

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class AppSecurityConfiguration extends WebSecurityConfigurerAdapter{
}

然后在控制器中，我将@Secured("ADMIN")更改为@PreAuthorize("hasRole('ADMIN')")

And in controller i changed @Secured("ADMIN") to @PreAuthorize("hasRole('ADMIN')")

这篇关于Spring Security，方法安全注释(@Secured)不起作用(java config)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！