RError.com

RError.com Logo RError.com Logo

RError.com Navigation

  • 主页

Mobile menu

Close
  • 主页
  • 系统&网络
    • 热门问题
    • 最新问题
    • 标签
  • Ubuntu
    • 热门问题
    • 最新问题
    • 标签
  • 帮助
主页 / 问题

问题[spring-security]

Martin Hope
Дмитрий
Asked: 2023-12-10 00:45:12 +0000 UTC

视图中的 Thymeleaf 访问限制表达式

  • 5

我正在使用 Spring Security 和 Thymeleaf 在 Spring Boot 中制作一个 Web 应用程序。视图是带有可以添加、查看、编辑和删除的评论的页面。我需要在视图中设置限制,以便在每个评论下的评论页面上,仅针对评论作者的用户显示“编辑评论”按钮,但我不知道如何在 Thymeleaf 中表达这一点。

我在网上找到了这些设计:

<div th:if="${#authorization.expression('hasRole(''ROLE_ADMIN'')')}">
  ADMIn section
</div>
<div sec:authentication="name">
<div sec:authentication="principal.authorities">.

但我不知道如何针对我的情况正确地重新表述这一点。谢谢。

spring-security
  • 1 个回答
  • 33 Views
Martin Hope
V-CHO
Asked: 2022-07-26 14:55:04 +0000 UTC

添加身份验证时页面崩溃并出现 500 错误

  • 0

先生们,专家,告诉我,pliz:Spring Boot / Security 项目,当添加到 html/Thymeleaf sec:authentication=”principal.authorities”浏览器发出 500 和

Error retrieving value for property "”principal.authorities”" of authentication object of class org.springframework.security.authentication.UsernamePasswordAuthenticationToken

Invalid property '”principal' of bean class [org.springframework.security.authentication.UsernamePasswordAuthenticationToken]: Bean property '”principal' is not readable or has an invalid getter method: Does the return type of the getter match the parameter type of the setter?

同时,authentication.getAuthorities() 在控制台中显示值,一切都在调试中到位,如果您注释掉有问题的行,则访问限制适用于该按钮:

    <div sec:authorize="hasAuthority('ADMIN')">
    <form th:action="@{/bankdemo/accounts/show/{phone}(phone=${account.phone})}"
     th:method="delete">
        <input type="hidden" th:name="id" th:value="${bill.id}"/> 
            <button class="btn btn-danger"
            onclick="if (!(confirm('Are you sure you want to delete this bill?')))
                return false">
            Erase</button>
    </form>
    </div>

场地:

    @ElementCollection(targetClass = Role.class)
    @CollectionTable(name="roles", joinColumns = @JoinColumn(name="account_id"))
    @Enumerated(EnumType.STRING)
    private Set<Role> roles;

吸气剂:

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return roles;
    }

埃南:

public enum Role implements GrantedAuthority{
    ADMIN, CLIENT;

    @Override
    public String getAuthority() {
        return name();
    }
}

怎么了?

spring-boot spring-security
  • 1 个回答
  • 43 Views
Martin Hope
Yan Zaitsau
Asked: 2022-07-13 23:37:56 +0000 UTC

如何使用 Spring Boot+JPA 获取当前用户

  • 0

在这个视频的帮助下,我正在尝试制作一个类似的购物车。在这个阶段,我试图在用户的购物篮中获取有关产品(游览)的信息。已达到 35 分钟 在此处输入链接说明

我有一个连接旅游和用户的模型

@Entity 
@Table(name = "cart_items") public class CartItem {  
@Id 
@GeneratedValue(strategy = GenerationType.IDENTITY)  
private int id;
     
@ManyToOne  @JoinColumn(name = "tour_id")  
private Tour tour;
     
@ManyToOne  @JoinColumn(name = "user_id")  
private User user;
@Column(name = "order_date")  private Date date=new Date(); 
//getters and setters 
}

普通用户模型

package com.zaitsava.springboot_touristsite.entity;

import javax.persistence.*;
import java.util.Set;


@Entity
@Table(name = "user")
public class User {

    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private int id;
    @Column(name = "firstname")
    private String firstname;

    @Column(name = "lastname")
    private String lastname;

    @Column(name = "patronymic")
    private String patronymic;

    @Column(name = "email")
    private String email;

    @Column(name = "phone")
    private String phone;

    @Column(name = "password")
    private String password;

    @Column(name = "active")
    private int active;

    @ManyToMany(cascade=CascadeType.ALL)
    @JoinTable(name="user_role", joinColumns=@JoinColumn(name="user_id"),
            inverseJoinColumns=@JoinColumn(name="role_id"))
    private Set<Role> roles;
    //gettes and setters
}

服务

import com.zaitsava.springboot_touristsite.entity.CartItem;
import com.zaitsava.springboot_touristsite.entity.User;
import com.zaitsava.springboot_touristsite.repository.CartItemRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

import java.util.List;

@Service
public class ShoppingCartService {
    @Autowired
    private CartItemRepository cartItemRepository;

    public List<CartItem> cartItemList(User user){
        return cartItemRepository.findByUser(user);
    };
}

和存储库:

package com.zaitsava.springboot_touristsite.repository;

import com.zaitsava.springboot_touristsite.entity.CartItem;
import com.zaitsava.springboot_touristsite.entity.User;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.stereotype.Repository;

import java.util.List;
@Repository
public interface CartItemRepository extends JpaRepository<CartItem,Integer> {
    public List<CartItem> findByUser(User user);
}

一切都通过测试很好地添加并写入数据库 在此处输入图像描述

说到产品显示控制器,问题就开始了。因为作者的实现用不同的方法扩展了User类,所以无法在控制器中获取当前用户。我试着做

package com.zaitsava.springboot_touristsite.controller;

import com.zaitsava.springboot_touristsite.entity.CartItem;
import com.zaitsava.springboot_touristsite.entity.CurrentUser;
import com.zaitsava.springboot_touristsite.entity.User;
import com.zaitsava.springboot_touristsite.service.ShoppingCartService;
import com.zaitsava.springboot_touristsite.service.UserServiceImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;


import java.util.List;

@Controller
public class ShoppingCartController {
    @Autowired
    private ShoppingCartService cartService;
    @Autowired
    private UserServiceImpl userService;

    @GetMapping("/cart")
    public String showCart(Model model,@CurrentUser User user){

        if(user==null) System.out.println("User is null");

        List<CartItem> cartItemList=cartService.cartItemList(user);
        model.addAttribute("cartItems",cartItemList);
        return "user/cart";
    }


}

通过当前用户的注解

package com.zaitsava.springboot_touristsite.entity;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import java.lang.annotation.*;

@Target({ElementType.PARAMETER, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@Documented
@AuthenticationPrincipal
public @interface CurrentUser {}

但是,我得到一个空用户,即使我通过 id 为 4 的用户登录。我也尝试通过参数

 public String showCart(Model model,Principal principal){
        Authentication authentication = (Authentication) principal;
        User user= (User) authentication.getPrincipal();
        //остальной код
}

但后来我收到有关不正确类型转换的错误

更新 了添加的 Spring Security 设置

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private BCryptPasswordEncoder bCryptPasswordEncoder;

    @Autowired
    private DataSource dataSource;

    private final String USERS_QUERY = "select email, password, active from user where email=?";
    private final String ROLES_QUERY = "select u.email, r.role from user u inner join user_role ur on (u.id = ur.user_id) inner join role r on (ur.role_id=r.role_id) where u.email=?";

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication()
                .usersByUsernameQuery(USERS_QUERY)
                .authoritiesByUsernameQuery(ROLES_QUERY)
                .dataSource(dataSource)
                .passwordEncoder(bCryptPasswordEncoder);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/user/cart").authenticated()
                .antMatchers("/login").permitAll()
                .antMatchers("/signup").permitAll()
                .antMatchers("favicon.ico").permitAll()
               /* .antMatchers("/admin/**").access("hasRole('ADMIN')")*/
                .antMatchers("/main/**").hasAuthority("ADMIN").anyRequest()
                .authenticated().and().csrf().disable()
                .formLogin().loginPage("/login").permitAll().failureUrl("/login?error=true")
                .defaultSuccessUrl("/")
                .usernameParameter("email")
                .passwordParameter("password")
                .and().logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/")
                .and().rememberMe()
                .tokenRepository(persistentTokenRepository())
                .tokenValiditySeconds(60 * 60)
                .and().exceptionHandling().accessDeniedPage("/access_denied");

    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring()
                .antMatchers("/images/**")
                .antMatchers("/fonts/**");
    }

    @Bean
    public PersistentTokenRepository persistentTokenRepository() {
        JdbcTokenRepositoryImpl db = new JdbcTokenRepositoryImpl();
        db.setDataSource(dataSource);

        return db;
    }
}

用户控制器:

package com.zaitsava.springboot_touristsite.controller;


import javax.validation.Valid;

import com.zaitsava.springboot_touristsite.entity.User;
import com.zaitsava.springboot_touristsite.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.validation.BindingResult;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class UserController {

    @Autowired
    private UserService userService;

    @GetMapping("/signup")
    public ModelAndView signup() {
        ModelAndView model = new ModelAndView();
        User user = new User();
        model.addObject("user", user);
        model.setViewName("user/signup");
        return model;
    }

    @PostMapping("/signup")
    public ModelAndView createUser(@Valid User user, BindingResult bindingResult) {
        ModelAndView model = new ModelAndView();
        User userExists = userService.findUserByEmail(user.getEmail());

        if(userExists != null) {
            bindingResult.rejectValue("email", "error.user", "User with this email exists");
        }
        if(bindingResult.hasErrors()) {
            model.setViewName("user/signup");
        } else {
            userService.saveUser(user);
            model.addObject("msg", "User succesful register!");
            model.addObject("user", new User());
            model.setViewName("redirect:home/main");
        }

        return model;
    }



    @GetMapping("/home/main")
    public ModelAndView home() {
        ModelAndView model = new ModelAndView();
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        User user = userService.findUserByEmail(auth.getName());

        model.addObject("userName", "Hello,"+user.getFirstname() + " " + user.getLastname()+" "+user.getPatronymic());
        model.setViewName("redirect:/");
        return model;
    }

    @GetMapping("/access_denied")
    public ModelAndView accessDenied() {
        ModelAndView model = new ModelAndView();
        model.setViewName("errors/access_denied");
        return model;
    }
}

我不明白我需要做什么才能让控制器正常工作

spring-boot spring-security
  • 1 个回答
  • 106 Views
Martin Hope
AlexPopov
Asked: 2021-10-24 00:55:59 +0000 UTC

如何使密码自动加密为 12 个字符的字符串?

  • 0

目前,通过html表单向数据库添加新用户时,密码以我在表单中指定的方式写入数据库,但是是否有可能以某种方式使密码立即以加密形式进入数据库?

在用 spring MVC + security + hibernate + thymeleaf 编写的简单 crud 应用程序中组织这个的最佳方法是什么?

大部分例子都是用xml文件写的(或者我没好好搜索),但目前我不知道如何在javaConfig上搞砸这个东西。

链接到git 存储库

BCryptPasswordEncoder bean 和自动装配使用它

    @Bean
    public BCryptPasswordEncoder bCryptPasswordEncoder() {
        return new BCryptPasswordEncoder(12);
    }

    @Autowired
    protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userService).passwordEncoder(bCryptPasswordEncoder());
    }

添加用户的html表单

<form action="#" th:action="@{addUser}" th:object="${user}" method="post">
    <label for="name">Name</label>
    <input type="text" th:field="*{name}" id="name" placeholder="Name">
    <span th:if="${#fields.hasErrors('name')}" th:errors="*{name}"></span>

    <label for="password">Password</label>
    <input type="text" th:field="*{password}" id="password" placeholder="Password">
    <span th:if="${#fields.hasErrors('password')}" th:errors="*{password}"></span>

    <label for="email">Email</label>
    <input type="text" th:field="*{email}" id="email" placeholder="Email">
    <span th:if="${#fields.hasErrors('email')}" th:errors="*{email}"></span>
    
    <input type="submit" value="Add User">
</form>

添加新用户的控制器

    @GetMapping
    public ModelAndView showRegistrationForm(User user) {
        ModelAndView modelAndView = new ModelAndView("reg");
        modelAndView.addObject("user", user);
        return modelAndView;
    }

    @PostMapping("/newUser")
    public String createUser(User user) {
        user.getRoleSet().add(roleService.getDefaultRole());
        userService.addUser(user);
        return "redirect:/index";
    }

ps addUser 方法调用服务上的 addUser 方法,该方法又使用 JPA (save(user)) 实现

spring-security
  • 1 个回答
  • 10 Views
Martin Hope
bsuart
Asked: 2020-09-19 05:36:20 +0000 UTC

微服务架构中使用jwt的算法

  • 3

我是否正确理解了 jwt 在微服务架构中的使用:

在身份验证期间,会为用户创建访问令牌和刷新令牌。刷新令牌存储访问令牌的 id。访问令牌在标头中发送给用户并存储在 WebStorage 或 Cookies 中,而访问令牌存储在某处(数据库或文件)。在服务器上客户端用户的后续请求中,访问令牌被发送到服务器,在那里检查其有效性,然后,如果成功,则检查生命周期,如果有,则发出新的访问令牌。

spring-security
  • 1 个回答
  • 10 Views

Sidebar

Stats

  • 问题 10021
  • Answers 30001
  • 最佳答案 8000
  • 用户 6900
  • 常问
  • 回答
  • Marko Smith

    我看不懂措辞

    • 1 个回答
  • Marko Smith

    请求的模块“del”不提供名为“default”的导出

    • 3 个回答
  • Marko Smith

    "!+tab" 在 HTML 的 vs 代码中不起作用

    • 5 个回答
  • Marko Smith

    我正在尝试解决“猜词”的问题。Python

    • 2 个回答
  • Marko Smith

    可以使用哪些命令将当前指针移动到指定的提交而不更改工作目录中的文件?

    • 1 个回答
  • Marko Smith

    Python解析野莓

    • 1 个回答
  • Marko Smith

    问题:“警告:检查最新版本的 pip 时出错。”

    • 2 个回答
  • Marko Smith

    帮助编写一个用值填充变量的循环。解决这个问题

    • 2 个回答
  • Marko Smith

    尽管依赖数组为空,但在渲染上调用了 2 次 useEffect

    • 2 个回答
  • Marko Smith

    数据不通过 Telegram.WebApp.sendData 发送

    • 1 个回答
  • Martin Hope
    Alexandr_TT 2020年新年大赛! 2020-12-20 18:20:21 +0000 UTC
  • Martin Hope
    Alexandr_TT 圣诞树动画 2020-12-23 00:38:08 +0000 UTC
  • Martin Hope
    Air 究竟是什么标识了网站访问者? 2020-11-03 15:49:20 +0000 UTC
  • Martin Hope
    Qwertiy 号码显示 9223372036854775807 2020-07-11 18:16:49 +0000 UTC
  • Martin Hope
    user216109 如何为黑客设下陷阱,或充分击退攻击? 2020-05-10 02:22:52 +0000 UTC
  • Martin Hope
    Qwertiy 并变成3个无穷大 2020-11-06 07:15:57 +0000 UTC
  • Martin Hope
    koks_rs 什么是样板代码? 2020-10-27 15:43:19 +0000 UTC
  • Martin Hope
    Sirop4ik 向 git 提交发布的正确方法是什么? 2020-10-05 00:02:00 +0000 UTC
  • Martin Hope
    faoxis 为什么在这么多示例中函数都称为 foo? 2020-08-15 04:42:49 +0000 UTC
  • Martin Hope
    Pavel Mayorov 如何从事件或回调函数中返回值?或者至少等他们完成。 2020-08-11 16:49:28 +0000 UTC

热门标签

javascript python java php c# c++ html android jquery mysql

Explore

  • 主页
  • 问题
    • 热门问题
    • 最新问题
  • 标签
  • 帮助

Footer

RError.com

关于我们

  • 关于我们
  • 联系我们

Legal Stuff

  • Privacy Policy

帮助

© 2023 RError.com All Rights Reserve   沪ICP备12040472号-5