JHipster:是否允许匿名用户读取实体，但不更新? [英] JHipster: Enable anonymous users to read entity, but not update?

问题描述

我使用以下值生成了一个JHipster应用程序:

I have generated a JHipster application using these values:

{
  "generator-jhipster": {
    "jhipsterVersion": "3.1.0",
    "baseName": "app",
    "packageName": "my.app",
    "packageFolder": "my/app",
    "serverPort": "8080",
    "authenticationType": "session",
    "hibernateCache": "ehcache",
    "clusteredHttpSession": "no",
    "websocket": "no",
    "databaseType": "sql",
    "devDatabaseType": "h2Disk",
    "prodDatabaseType": "mysql",
    "searchEngine": "elasticsearch",
    "buildTool": "gradle",
    "enableSocialSignIn": false,
    "rememberMeKey": "",
    "useSass": true,
    "applicationType": "monolith",
    "testFrameworks": [],
    "jhiPrefix": "jhi",
    "enableTranslation": false
  }
 }

我想允许匿名用户查看实体，但不允许更新或删除该实体.我尝试编辑生成的SecurityConfiguration.java文件，以在configure(HttpSecurity http)方法中为authorizeRequests()添加permitAll(HttpMethod.GET,"/**").尝试访问该实体时，我仍然会被定向到accessdenied.

I would like to allow anonymous users to view an entity, but not update or delete that entity. I have tried editing the generated SecurityConfiguration.java file to add permitAll(HttpMethod.GET,"/**") for authorizeRequests() in the configure(HttpSecurity http) method. I still get directed to accessdenied when trying to access the entity.

以前有人解决过这个用例吗?

Has anyone addressed this use case before?

推荐答案

这是针对AngularJS 1.x

This is for AngularJS 1.x

用于访问资源:在configure(HttpSecurity http)方法中的SecurityConfiguration.java中

For accessing the resources: in SecurityConfiguration.java in configure(HttpSecurity http) method

    .and()
        .authorizeRequests()
        .antMatchers(HttpMethod.GET, "/api/**").permitAll()

用于访问角度视图/状态:对于每个实体，注释掉或删除只读状态的authorities属性.下面是src/main/webapp/app/entities/book/book.state.js中的Book实体的示例:

For accessing the angular views/states: for each entity, comment out or remove the authorities property for read-only states. Below an example for Book entity in src/main/webapp/app/entities/book/book.state.js:

    .state('book', {
        parent: 'entity',
        url: '/book',
        data: {
            // authorities: ['ROLE_USER'],
            pageTitle: 'monoApp.book.home.title'
        },
        ....
    })
    .state('book-detail', {
        parent: 'entity',
        url: '/book/{id}',
        data: {
            // authorities: ['ROLE_USER'],
            pageTitle: 'monoApp.book.detail.title'
        },

但是，请注意以下两点:

However, pay attention to 2 things:

• 通过在SecurityConfiguration中使用这种模式，您还可以在/api/users中公开用户.为每个实体添加permitAll()以使您可以完全控制自己公开的内容(白名单方法)
会更安全.
• 用户体验很差，因为您仍然显示用于添加或删除实体的按钮.因此，您可以使用ng-hide
隐藏它们

• By using such a pattern in SecurityConfiguration, you also expose your users at /api/users. It would be safer to add a permitAll() per entity so that you keep full control on what you expose (whitelist approach)
• The user experience is poor as you still expose buttons for adding or deleting entities. So you could hide them with ng-hide

这篇关于JHipster:是否允许匿名用户读取实体，但不更新?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！