JHipster:是否允许匿名用户读取实体,但不更新? [英] JHipster: Enable anonymous users to read entity, but not update?
问题描述
我使用以下值生成了一个JHipster应用程序:
I have generated a JHipster application using these values:
{
"generator-jhipster": {
"jhipsterVersion": "3.1.0",
"baseName": "app",
"packageName": "my.app",
"packageFolder": "my/app",
"serverPort": "8080",
"authenticationType": "session",
"hibernateCache": "ehcache",
"clusteredHttpSession": "no",
"websocket": "no",
"databaseType": "sql",
"devDatabaseType": "h2Disk",
"prodDatabaseType": "mysql",
"searchEngine": "elasticsearch",
"buildTool": "gradle",
"enableSocialSignIn": false,
"rememberMeKey": "",
"useSass": true,
"applicationType": "monolith",
"testFrameworks": [],
"jhiPrefix": "jhi",
"enableTranslation": false
}
}
我想允许匿名用户查看实体,但不允许更新或删除该实体.我尝试编辑生成的SecurityConfiguration.java
文件,以在configure(HttpSecurity http)
方法中为authorizeRequests()
添加permitAll(HttpMethod.GET,"/**")
.尝试访问该实体时,我仍然会被定向到accessdenied
.
I would like to allow anonymous users to view an entity, but not update or delete that entity. I have tried editing the generated SecurityConfiguration.java
file to add permitAll(HttpMethod.GET,"/**")
for authorizeRequests()
in the configure(HttpSecurity http)
method. I still get directed to accessdenied
when trying to access the entity.
以前有人解决过这个用例吗?
Has anyone addressed this use case before?
推荐答案
这是针对AngularJS 1.x
This is for AngularJS 1.x
用于访问资源:在configure(HttpSecurity http)
方法中的SecurityConfiguration.java
中
For accessing the resources: in SecurityConfiguration.java
in configure(HttpSecurity http)
method
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/api/**").permitAll()
用于访问角度视图/状态:对于每个实体,注释掉或删除只读状态的authorities
属性.下面是src/main/webapp/app/entities/book/book.state.js
中的Book
实体的示例:
For accessing the angular views/states: for each entity, comment out or remove the authorities
property for read-only states. Below an example for Book
entity in src/main/webapp/app/entities/book/book.state.js
:
.state('book', {
parent: 'entity',
url: '/book',
data: {
// authorities: ['ROLE_USER'],
pageTitle: 'monoApp.book.home.title'
},
....
})
.state('book-detail', {
parent: 'entity',
url: '/book/{id}',
data: {
// authorities: ['ROLE_USER'],
pageTitle: 'monoApp.book.detail.title'
},
但是,请注意以下两点:
However, pay attention to 2 things:
- 通过在
SecurityConfiguration
中使用这种模式,您还可以在/api/users
中公开用户.为每个实体添加permitAll()
以使您可以完全控制自己公开的内容(白名单方法) 会更安全.
- 用户体验很差,因为您仍然显示用于添加或删除实体的按钮.因此,您可以使用ng-hide 隐藏它们
- By using such a pattern in
SecurityConfiguration
, you also expose your users at/api/users
. It would be safer to add apermitAll()
per entity so that you keep full control on what you expose (whitelist approach) - The user experience is poor as you still expose buttons for adding or deleting entities. So you could hide them with ng-hide
这篇关于JHipster:是否允许匿名用户读取实体,但不更新?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!