发布于2022-09-30 20:07 阅读(628) 评论(0) 点赞(0) 收藏(3)
Dear all I am using spring 5 and like to have the ROLE_ prefix removed. Thereforre I used "grantedAuthorityDefaults" and set the role prefix to "". Unfortunatley when I call later on SecurityContextHolder.getContext().getAuthentication().getAuthorities()
on a page without login (Public acces) than I still get values with "ROLE_" prefix "ROLE_ANONYMOUS" and my mapping logic in the JSON Rest controller Advice fails.
Any hits at which other places I ned to declare the ROLE prefix = "" ?
@Configuration
@EnableWebSecurity(debug = true)
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, jsr250Enabled = true)
public class WebSecurityJwtConfiguration extends WebSecurityConfigurerAdapter {
...
@Bean
public GrantedAuthorityDefaults grantedAuthorityDefaults() {
return new GrantedAuthorityDefaults("");
}
...
}
@RestControllerAdvice
public class CoreSecurityJsonViewControllerAdviceimplements ResponseBodyAdvice<Object> {
protected void beforeBodyWriteInternal(MappingJacksonValue mappingJacksonValue, MediaType mediaType, MethodParameter methodParameter, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) {
if (SecurityContextHolder.getContext().getAuthentication() != null && SecurityContextHolder.getContext().getAuthentication().getAuthorities() != null) {
// HERE I still get values with "ROLE_" prefix
Collection<? extends GrantedAuthority> authorities = SecurityContextHolder.getContext().getAuthentication().getAuthorities();
Class prioritizedJsonView = this.getJsonViews(authorities);
if (prioritizedJsonView != null) {
mappingJacksonValue.setSerializationView(prioritizedJsonView);
}
}
}
protected Class getJsonViews(Collection<? extends GrantedAuthority> authorities) {
Optional var10000 = authorities.stream().map(GrantedAuthority::getAuthority).map(Role::valueOf).max(Comparator.comparing(Enum::ordinal));
Map var10001 = View.MAPPING;
var10001.getClass();
return (Class)var10000.map(var10001::get).orElse((Object)null);
}
@Override
protected Class getJsonViews(Collection<? extends GrantedAuthority> authorities) {
return authorities.stream()
.map(GrantedAuthority::getAuthority)
.map(Role::valueOf)
.max(Comparator.comparing(Role::ordinal))
.map(View.MAPPING::get)
.orElse(null);
}
}
Yes, that is because the AnonymousAuthenticationFilter Spring Security uses has the "ROLE_ANONYMOUS" hardcoded inside.
You can change that behavior with this override in your WebSecurityConfigurerAdapter
@Override
protected void configure(HttpSecurity http) throws Exception {
http.anonymous().authorities("ANONYMOUS"); // or your custom role
}
作者:黑洞官方问答小能手
链接:http://www.javaheidong.com/blog/article/526539/65afef9417b3c851f3ea/
来源:java黑洞网
任何形式的转载都请注明出处,如有侵权 一经发现 必将追究其法律责任
昵称:
评论内容:(最多支持255个字符)
---无人问津也好,技不如人也罢,你都要试着安静下来,去做自己该做的事,而不是让内心的烦躁、焦虑,坏掉你本来就不多的热情和定力
Copyright © 2018-2021 java黑洞网 All Rights Reserved 版权所有,并保留所有权利。京ICP备18063182号-2
投诉与举报,广告合作请联系vgs_info@163.com或QQ3083709327
免责声明:网站文章均由用户上传,仅供读者学习交流使用,禁止用做商业用途。若文章涉及色情,反动,侵权等违法信息,请向我们举报,一经核实我们会立即删除!