发布于2022-09-30 20:16 阅读(1056) 评论(0) 点赞(24) 收藏(0)
I have a problem where I cannot acces any url while logged in on an accont with a custom defined ROLE.
To create the new roles for my app, I added my new roles in the AuthoritiesConstants
class and in authorities.csv
.
Then I manually inserted my new desired roles : ROLE_STUDENT
and ROLE_PROFESOR
in my h2-database.
Then I logged in on the admin account and tried and succeeded to create a new user with the ROLE_STUDENT
.
Then I logged on to this new account and tried to access http://localhost:9000/api/users
to get the full list of users.
I got the following error :
2020-03-19 10:59:05.687 DEBUG 13892 --- [ XNIO-1 task-15] base.aop.logging.LoggingAspect : Enter: base.repository.CustomAuditEventRepository.add() with argument[s] = [AuditEvent [timestamp=2020-03-19T08:59:05.686Z, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null, type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]]
2020-03-19 10:59:05.691 DEBUG 13892 --- [ XNIO-1 task-15] base.aop.logging.LoggingAspect : Exit: base.repository.CustomAuditEventRepository.add() with result = null
2020-03-19 10:59:05.693 WARN 13892 --- [ XNIO-1 task-15] o.z.problem.spring.common.AdviceTraits : Unauthorized: Full authentication is required to access this resource
2020-03-19 10:59:05.695 WARN 13892 --- [ XNIO-1 task-15] .m.m.a.ExceptionHandlerExceptionResolver : Resolved [org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource]
In my SecurityConfiguration
class, this url falls under .antMatchers("/api/**").authenticated()
. So I was supposed to be able to access it from any account, as long as I am logged in.
To my dismay, it seems I cannot access any URL, apart from the home page, from this account. I manually checked my database to see if the user has been created and has the correct role. All is well there. Can someone help me solve this ?
You have to open the routes to the new roles too, this is done on the client side. This is more or less how it looks if you use angular.
The home component is open to anyone as you can see in the file home.route.ts
.
export const HOME_ROUTE: Route = {
path: '',
component: HomeComponent,
data: {
authorities: [], // <- Empty, so anyone can access the home
pageTitle: 'home.title'
}
};
On the other hand, if you want to grant access to a new role in a regular component, you'll have to add it to the valid authorities array in your [entity-name].route.ts
.
export const fooRoute: Routes = [
{
...
data: {
authorities: ['ROLE_STUDENT', 'ROLE_PROFESOR'],
...
},
...
That gives access to any user who has either ROLE_STUDENT
or ROLE_PROFESOR
, but not regular users (who only have ROLE_USER
). This was just an example.
In any case, if I understood your question correctly, you were trying to access an api/...
mapping directly in your browser. That's not a good idea and it's good that it fails since the client usually adds stuff to most requests so that they are properly handled and validated by the server (XSRF
, auth token
, ...).
作者:黑洞官方问答小能手
链接:http://www.javaheidong.com/blog/article/526543/b49435635b2ffca7f38e/
来源:java黑洞网
任何形式的转载都请注明出处,如有侵权 一经发现 必将追究其法律责任
昵称:
评论内容:(最多支持255个字符)
---无人问津也好,技不如人也罢,你都要试着安静下来,去做自己该做的事,而不是让内心的烦躁、焦虑,坏掉你本来就不多的热情和定力
Copyright © 2018-2021 java黑洞网 All Rights Reserved 版权所有,并保留所有权利。京ICP备18063182号-2
投诉与举报,广告合作请联系vgs_info@163.com或QQ3083709327
免责声明:网站文章均由用户上传,仅供读者学习交流使用,禁止用做商业用途。若文章涉及色情,反动,侵权等违法信息,请向我们举报,一经核实我们会立即删除!