代码之家  ›  专栏  ›  技术社区  ›  Stefan Falk

@PreAuthorize not working with prespenabled=真

  •  1
  • Stefan Falk  · 技术社区  · 6 年前

    使用 @EnableGlobalMethodSecurity(prePostEnabled = true)

    @Configuration
    @EnableWebSecurity
    @EnableGlobalMethodSecurity(prePostEnabled = true)
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    }
    

    @PreAuthorized 无效:

    @PreAuthorize("permitAll()")
    @RequestMapping(value = "/users/change-email", method = RequestMethod.GET)
    public void changeEmail() {
        // ..
    }
    

    我也有 moved the annotation into the service layer 同样的结果:

    @PreAuthorize("permitAll()")
    @Transactional
    public void changeEmail(HttpServletResponse response, String token) throws IOException {
         // ..
    }
    

    我不清楚为什么-有什么想法吗?

    这就是我如何配置我的 ResourceServerConfigurerAdapter

    @Configuration
    @EnableResourceServer
    public class ResourceServer extends ResourceServerConfigurerAdapter {
    
        @Override
        public void configure(HttpSecurity http) throws Exception {
    
            http
                    .exceptionHandling()
                        .authenticationEntryPoint(new AuthFailureHandler())
                    .and()
                    .authorizeRequests()
                        .anyRequest()
                        .authenticated();
        }
    }
    

    AccessDeniedException

    org.springframework.security.access.AccessDeniedException: Access is denied
        at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
        at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
        at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    
    0 回复  |  直到 6 年前