我正在从 spring boot 2.7.x 升级到 3.0.0。按照官方文档中的建议进行更改后,我发现我的角色层次结构没有得到尊重。
I added expressionHandler()
到我的代码中建议的Spring Security 6.x 已弃用 AccessDecisionVoter https://stackoverflow.com/questions/74763256/accessdecisionvoter-deprecated-with-spring-security-6-x但它不起作用。
我有什么想法吗?
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Bean
public SecurityFilterChain configure(
HttpSecurity http,
RequestHeaderAuthenticationFilter headerAuthenticationFilter) throws Exception {
HttpStatusEntryPoint authenticationEntryPoint =
new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED);
http
.addFilterAfter(headerAuthenticationFilter, RequestHeaderAuthenticationFilter.class)
.authorizeHttpRequests(auth -> auth
.requestMatchers("/actuator/**", "/", "/webjars/**").permitAll()
.requestMatchers(HttpMethod.POST).hasRole("SUPERUSER")
.requestMatchers(HttpMethod.GET).hasRole("USER"))
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.exceptionHandling(ex -> ex
.authenticationEntryPoint(authenticationEntryPoint)
.accessDeniedHandler(accessDeniedHandler()))
.csrf(customizer -> customizer.disable());
return http.build();
}
@Bean
public RequestHeaderAuthenticationFilter headerAuthenticationFilter(
...
}
@Bean
public RoleHierarchy roleHierarchy() {
RoleHierarchyImpl r = new RoleHierarchyImpl();
r.setHierarchy("ROLE_SUPERUSER > ROLE_USER");
return r;
}
@Bean
public DefaultWebSecurityExpressionHandler expressionHandler() {
DefaultWebSecurityExpressionHandler expressionHandler = new DefaultWebSecurityExpressionHandler();
expressionHandler.setRoleHierarchy(roleHierarchy());
return expressionHandler;
}
AuthorityAuthorizationManager 不作为 bean 公开。事实上,它是一个带有私有构造函数的最终类。因此,为了使用我的角色层次结构,我需要手动创建 AuthorityAuthorizationManager。
这使用 spring boot 3.0.0 和 spring security 6.0.0 工作
@Bean
public SecurityFilterChain configure(
HttpSecurity http,
RequestHeaderAuthenticationFilter headerAuthenticationFilter) throws Exception {
var auth1 = AuthorityAuthorizationManager.<RequestAuthorizationContext>hasRole("USER");
auth1.setRoleHierarchy(roleHierarchy());
http
.authorizeHttpRequests(auth -> auth
.requestMatchers(HttpMethod.GET).access(auth1)
);
return http.build();
}
@Bean
public RoleHierarchy roleHierarchy() {
RoleHierarchyImpl r = new RoleHierarchyImpl();
r.setHierarchy("ROLE_SUPERUSER > ROLE_USER");
return r;
}
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)