Springboot Security hasRole not working
I’m unable to use hasRole method in @PreAuthorize annotation. Also request.isUserInRole(“ADMIN”) gives false. What am I m
-
i had to improvise a little, maybe there is other ways simpler then mine, but at the time i worked on this i had no other choice but to improvise a bit, after a thorough research came up with this solution. spring security has an interface called
AccessDecisionManager, you will need to implement it.@Component public class RolesAccessDecisionManager implements AccessDecisionManager { private final static String AUTHENTICATED = "authenticated"; private final static String PERMIT_ALL = "permitAll"; @Override public void decide(Authentication authentication, Object o, Collectioncollection) throws AccessDeniedException, InsufficientAuthenticationException { collection.forEach(configAttribute -> { if (!this.supports(configAttribute)) throw new AccessDeniedException("ACCESS DENIED"); }); } @Override public boolean supports(ConfigAttribute configAttribute) { Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); if (authentication != null && authentication.isAuthenticated()) { String rolesAsString = authentication.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.joining(",")); if (configAttribute.toString().contains(rolesAsString)) return true; else return (configAttribute.toString().contains(PERMIT_ALL) || configAttribute.toString().contains(AUTHENTICATED)); } return true; } @Override public boolean supports(Class aClass) { return true; } } now to support this custom access-decision-manager with your security config do this in the security configuration
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() // other configs .accessDecisionManager(this.accessDecisionManager)accessDecisionManageris the autowired bean of theAccessDecisionManagerimplementation you've created.
加载中...
- 热议问题