JHipster: Enable anonymous users to read entity, but not update?

问题

I have generated a JHipster application using these values:

{
  "generator-jhipster": {
    "jhipsterVersion": "3.1.0",
    "baseName": "app",
    "packageName": "my.app",
    "packageFolder": "my/app",
    "serverPort": "8080",
    "authenticationType": "session",
    "hibernateCache": "ehcache",
    "clusteredHttpSession": "no",
    "websocket": "no",
    "databaseType": "sql",
    "devDatabaseType": "h2Disk",
    "prodDatabaseType": "mysql",
    "searchEngine": "elasticsearch",
    "buildTool": "gradle",
    "enableSocialSignIn": false,
    "rememberMeKey": "",
    "useSass": true,
    "applicationType": "monolith",
    "testFrameworks": [],
    "jhiPrefix": "jhi",
    "enableTranslation": false
  }
 }

I would like to allow anonymous users to view an entity, but not update or delete that entity. I have tried editing the generated SecurityConfiguration.java file to add permitAll(HttpMethod.GET,"/**") for authorizeRequests() in the configure(HttpSecurity http) method. I still get directed to accessdenied when trying to access the entity.

Has anyone addressed this use case before?

回答1:

This is for AngularJS 1.x

For accessing the resources: in SecurityConfiguration.java in configure(HttpSecurity http) method

    .and()
        .authorizeRequests()
        .antMatchers(HttpMethod.GET, "/api/**").permitAll()

For accessing the angular views/states: for each entity, comment out or remove the authorities property for read-only states. Below an example for Book entity in src/main/webapp/app/entities/book/book.state.js:

    .state('book', {
        parent: 'entity',
        url: '/book',
        data: {
            // authorities: ['ROLE_USER'],
            pageTitle: 'monoApp.book.home.title'
        },
        ....
    })
    .state('book-detail', {
        parent: 'entity',
        url: '/book/{id}',
        data: {
            // authorities: ['ROLE_USER'],
            pageTitle: 'monoApp.book.detail.title'
        },

However, pay attention to 2 things:

• By using such a pattern in SecurityConfiguration, you also expose your users at /api/users. It would be safer to add a permitAll() per entity so that you keep full control on what you expose (whitelist approach)
• The user experience is poor as you still expose buttons for adding or deleting entities. So you could hide them with ng-hide

来源：https://stackoverflow.com/questions/36899967/jhipster-enable-anonymous-users-to-read-entity-but-not-update