【发布时间】:2019-02-06 13:02:36
【问题描述】:
我的 UsersRepository 存在如下问题。
我有一个用户存储库,我试图在我的数据库中显示所有用户,仅当 登录用户是“管理员”。
但是,当我扩展 JpaRepository 时,下面的代码会返回所有用户。当我扩展 CrudRepository 时,它工作正常。
这是一个已知的限制还是我做错了什么?
@Repository
public interface UserRepository extends JpaRepository<User, Long> {
List<User> findById(List<Long> userIds);
Optional<User> findByUsername(String username);
Boolean existsByUsername(String username);
}
{
@PreAuthorize("hasRole('test')")
@RequestMapping(value = "/api/users", method = RequestMethod.GET)
public @ResponseBody
List<User> findAll(Sort var1);
}
添加安全配置 spring 类以显示安全设置
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(
securedEnabled = true,
jsr250Enabled = true,
prePostEnabled = true
)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;
@Autowired
CustomUserDetailsService customUserDetailsService;
@Bean
public JwtAuthenticationFilter jwtAuthenticationFilter() {
return new JwtAuthenticationFilter();
}
private String[] permitted = new String[] {
"/static/css/**","/static/media/**","/static/js/**", "/static/manifest.json"
};
@Bean(BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
// this will create the auth manager that we will use to auth the user
@Override
public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder
.userDetailsService(customUserDetailsService)
.passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
// .requiresChannel()
// .anyRequest()
// .requiresSecure()
// .and()
.authorizeRequests()
.antMatchers(permitted)
.permitAll()
.antMatchers("/api/auth/**", "/api/", "/")
.permitAll()
.anyRequest()
.permitAll();
//.authenticated();
// Add our custom JWT security filter
http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
【问题讨论】:
-
你要在 RequestMapping 上而不是在 Repository 上做 @PreAuthorize 吗?
-
是的,最初我删除了@RequestMApping 行,只是为了测试目的而使用它:@PreAuthorize("hasRole('test')") List
findAll(Sort var1); -
能否指定Spring版本
-
春季版 2.1.2
-
你在用springboot吗?
标签: java api spring-boot spring-data-jpa repository