WebSecurityConfiguration
忽略拦截
web.ignoring
/**
* @MethodName: configure
* @Description: 忽略拦截/user/login
* @Param: [web]
* @Return: void
* @Author: pl
* @Date: 23:16
**/
@Override
public void configure(WebSecurity web) throws Exception {
/* web.ignoring()
.antMatchers("/user/login");*/
}
不配忽略访问 /user/login
image.png
{
"error": "unauthorized", #没授权
"error_description": "Full authentication is required to access this resource"
}
授权访问路径
antMatchers
/**
* @MethodName: configure
* @Description: 授权
* @Param: [http]
* @Return: void
* @Author: pl
* @Date: 0:03
**/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.exceptionHandling()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
// 增加了授权访问配置
.antMatchers("/user/info").hasAuthority("ADMIN");
/* .antMatchers("/user/logout").hasAuthority("ADMIN");*/
}
image.png
{
"error": "unauthorized",
"error_description": "Full authentication is required to access this resource"
}
不同角色
用户是USER角色,但是访问路径授权是ADMIN
@Override
public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {
// 用户名匹配
if (userName.equals(USERNAME)) {
List<GrantedAuthority> grantedAuthorities = Lists.newArrayList();
//内存模式授权 user角色
GrantedAuthority grantedAuthority = new SimpleGrantedAuthority("USER");
grantedAuthorities.add(grantedAuthority);
return new User(USERNAME, PASSWORD, grantedAuthorities);
}
// 用户名不匹配
else {
return null;
}
}
/user/logout 授予 ADMIN角色
@Override
protected void configure(HttpSecurity http) throws Exception {
http.exceptionHandling()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
// 增加了授权访问配置
.antMatchers("/user/info").hasAuthority("ADMIN")
.antMatchers("/user/logout").hasAuthority("ADMIN");
}
image.png
{
"error": "unauthorized",
"error_description": "Full authentication is required to access this resource"
}
这时日志中什么都没打印出来,说明直接给拦截了。
网友评论