基于方法的密钥遮盖设置权限[GET,POST,PATCH]
基于方法的密钥遮盖设置权限[GET,POST,PATCH]
提问于 2020-03-23 06:13:52
我正在尝试设置项目中资源的查看和更新权限;如果用户具有角色x,则他们只能查看此资源;如果他们具有角色y,则他们可以查看和更新相同的资源。
到目前为止,我已经创建了一个资源并定义了两个作用域,一个用于查看,另一个用于更新。但是,我不明白的是如何定义方法(GET、POST、PATCH)。
这是我的SecurityConfig.java
@KeycloakConfiguration
@EnableConfigurationProperties(KeycloakSpringBootProperties.class)
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
@Autowired
public KeycloakClientRequestFactory keycloakClientRequestFactory;
/**
* Registers the KeycloakAuthenticationProvider with the authentication manager.
*/
@Autowired
public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception {
final SimpleAuthorityMapper grantedAuthorityMapper = new SimpleAuthorityMapper();
grantedAuthorityMapper.setPrefix("ROLE_");
grantedAuthorityMapper.setConvertToUpperCase(true);
final KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(grantedAuthorityMapper);
auth.authenticationProvider(keycloakAuthenticationProvider());
}
/**
* Defines the session authentication strategy.
*/
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Bean
@Override
@ConditionalOnMissingBean(HttpSessionManager.class)
protected HttpSessionManager httpSessionManager() {
return new HttpSessionManager();
}
@Bean
public KeycloakConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
super.configure(http);
http
.authorizeRequests()
.antMatchers("/api/**").authenticated()
.and()
.cors()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.logout().disable();
}
@Bean
@Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
public KeycloakRestTemplate keycloakRestTemplate() {
return new KeycloakRestTemplate(this.keycloakClientRequestFactory);
}
@Bean
@Scope(scopeName = WebApplicationContext.SCOPE_REQUEST, proxyMode = ScopedProxyMode.TARGET_CLASS)
public AccessToken accessToken() {
final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication.getPrincipal() instanceof KeycloakPrincipal) {
return ((KeycloakPrincipal) authentication.getPrincipal()).getKeycloakSecurityContext().getToken();
} else {
return new AccessToken();
}
}
/**
* Ensures the correct registration of KeycloakSpringBootConfigResolver when Keycloaks AutoConfiguration
* is explicitly turned off in application.yml {@code keycloak.enabled: false}.
*/
@Configuration
static class CustomKeycloakBaseSpringBootConfiguration extends KeycloakBaseSpringBootConfiguration {
}
}application.yml
keycloak:
enabled: false
realm: phelix
auth-server-url: URL
ssl-required: none
resource: CLIENT
use-resource-role-mappings: true
bearer-only: true
cors: true
policy-enforcer-config:
enforcement-mode: PERMISSIVEStack Overflow用户
发布于 2020-03-23 06:40:59
添加方法类型的请求匹配器:
.antMatchers(HttpMethod.GET, "/api/**").hasAnyRole("x", "y")
.antMatchers(HttpMethod.POST, "/api/**").hasRole("y")页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/60805573
复制相关文章
相似问题
腾讯云开发者
