81,092
社区成员
发帖
与我相关
我的任务
分享spring boot security oauth2 Resource Server端权限需要怎么认证?
这是Resource Server端部分的配置:
这是Resource Server端部分的一个Controller:
我通过在认证中心认证后拿到token,然后访问Resource Server端这个/api/user 后得到如下结果:
user page
.....
getAuthentication = {"authenticated":true,"authorities":[{"authority":"admin"}],"clientOnly":false,"credentials":"","details":{"remoteAddress":"0:0:0:0:0:0:0:1","sessionId":"D15E150D3492DC0545B49B5DB56668A0","tokenType":"Bearer","tokenValue":"a0274f6d-0096-4a72-9d3b-8a551c552d90"},"name":"user","oAuth2Request":{"approved":true,"authorities":[],"clientId":"demo","extensions":{},"refresh":false,"requestParameters":{"client_id":"demo"},"resourceIds":[],"responseTypes":[],"scope":["read","write"]},"principal":"user","userAuthentication":{"authenticated":true,"authorities":[{"$ref":"$.authorities[0]"}],"credentials":"N/A","name":"user","principal":"user"}}
从{"authority":"admin"}可以看出来该用户只有admin的权限,但是他却能访问这个/api/user(需要userdsad权限)的页面,我很奇怪。
所以我最后想问的是,单点登录系统,在Resource Server端,怎么使用@PreAuthorize("hasAuthority('admin')") 这种注解,怎么使这种注解生效?
这是Resource Server端部分的一个Controller:
我通过在认证中心认证后拿到token,然后访问Resource Server端这个/api/user 后得到如下结果:
user page
.....
getAuthentication = {"authenticated":true,"authorities":[{"authority":"admin"}],"clientOnly":false,"credentials":"","details":{"remoteAddress":"0:0:0:0:0:0:0:1","sessionId":"D15E150D3492DC0545B49B5DB56668A0","tokenType":"Bearer","tokenValue":"a0274f6d-0096-4a72-9d3b-8a551c552d90"},"name":"user","oAuth2Request":{"approved":true,"authorities":[],"clientId":"demo","extensions":{},"refresh":false,"requestParameters":{"client_id":"demo"},"resourceIds":[],"responseTypes":[],"scope":["read","write"]},"principal":"user","userAuthentication":{"authenticated":true,"authorities":[{"$ref":"$.authorities[0]"}],"credentials":"N/A","name":"user","principal":"user"}}
从{"authority":"admin"}可以看出来该用户只有admin的权限,但是他却能访问这个/api/user(需要userdsad权限)的页面,我很奇怪。
所以我最后想问的是,单点登录系统,在Resource Server端,怎么使用@PreAuthorize("hasAuthority('admin')") 这种注解,怎么使这种注解生效?
...全文
请发表友善的回复…
发表回复
cauchy6317 2018-12-18
- 打赏
- 举报
在继承了WebSecurityConfigurerAdapter这个类上加上此注解@EnableGlobalMethodSecurity(prePostEnabled = true)
