我正在使用 Spring Security 和 Thymeleaf 在 Spring Boot 中制作一个 Web 应用程序。视图是带有可以添加、查看、编辑和删除的评论的页面。我需要在视图中设置限制,以便在每个评论下的评论页面上,仅针对评论作者的用户显示“编辑评论”按钮,但我不知道如何在 Thymeleaf 中表达这一点。
我在网上找到了这些设计:
<div th:if="${#authorization.expression('hasRole(''ROLE_ADMIN'')')}">
ADMIn section
</div>
<div sec:authentication="name">
<div sec:authentication="principal.authorities">.
但我不知道如何针对我的情况正确地重新表述这一点。谢谢。
先生们,专家,告诉我,pliz:Spring Boot / Security 项目,当添加到 html/Thymeleaf sec:authentication=”principal.authorities”浏览器发出 500 和
Error retrieving value for property "”principal.authorities”" of authentication object of class org.springframework.security.authentication.UsernamePasswordAuthenticationToken
Invalid property '”principal' of bean class [org.springframework.security.authentication.UsernamePasswordAuthenticationToken]: Bean property '”principal' is not readable or has an invalid getter method: Does the return type of the getter match the parameter type of the setter?
同时,authentication.getAuthorities() 在控制台中显示值,一切都在调试中到位,如果您注释掉有问题的行,则访问限制适用于该按钮:
<div sec:authorize="hasAuthority('ADMIN')">
<form th:action="@{/bankdemo/accounts/show/{phone}(phone=${account.phone})}"
th:method="delete">
<input type="hidden" th:name="id" th:value="${bill.id}"/>
<button class="btn btn-danger"
onclick="if (!(confirm('Are you sure you want to delete this bill?')))
return false">
Erase</button>
</form>
</div>
场地:
@ElementCollection(targetClass = Role.class)
@CollectionTable(name="roles", joinColumns = @JoinColumn(name="account_id"))
@Enumerated(EnumType.STRING)
private Set<Role> roles;
吸气剂:
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return roles;
}
埃南:
public enum Role implements GrantedAuthority{
ADMIN, CLIENT;
@Override
public String getAuthority() {
return name();
}
}
怎么了?
在这个视频的帮助下,我正在尝试制作一个类似的购物车。在这个阶段,我试图在用户的购物篮中获取有关产品(游览)的信息。已达到 35 分钟 在此处输入链接说明
我有一个连接旅游和用户的模型
@Entity
@Table(name = "cart_items") public class CartItem {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private int id;
@ManyToOne @JoinColumn(name = "tour_id")
private Tour tour;
@ManyToOne @JoinColumn(name = "user_id")
private User user;
@Column(name = "order_date") private Date date=new Date();
//getters and setters
}
普通用户模型
package com.zaitsava.springboot_touristsite.entity;
import javax.persistence.*;
import java.util.Set;
@Entity
@Table(name = "user")
public class User {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private int id;
@Column(name = "firstname")
private String firstname;
@Column(name = "lastname")
private String lastname;
@Column(name = "patronymic")
private String patronymic;
@Column(name = "email")
private String email;
@Column(name = "phone")
private String phone;
@Column(name = "password")
private String password;
@Column(name = "active")
private int active;
@ManyToMany(cascade=CascadeType.ALL)
@JoinTable(name="user_role", joinColumns=@JoinColumn(name="user_id"),
inverseJoinColumns=@JoinColumn(name="role_id"))
private Set<Role> roles;
//gettes and setters
}
服务
import com.zaitsava.springboot_touristsite.entity.CartItem;
import com.zaitsava.springboot_touristsite.entity.User;
import com.zaitsava.springboot_touristsite.repository.CartItemRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import java.util.List;
@Service
public class ShoppingCartService {
@Autowired
private CartItemRepository cartItemRepository;
public List<CartItem> cartItemList(User user){
return cartItemRepository.findByUser(user);
};
}
和存储库:
package com.zaitsava.springboot_touristsite.repository;
import com.zaitsava.springboot_touristsite.entity.CartItem;
import com.zaitsava.springboot_touristsite.entity.User;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.stereotype.Repository;
import java.util.List;
@Repository
public interface CartItemRepository extends JpaRepository<CartItem,Integer> {
public List<CartItem> findByUser(User user);
}
一切都通过测试很好地添加并写入数据库
说到产品显示控制器,问题就开始了。因为作者的实现用不同的方法扩展了User类,所以无法在控制器中获取当前用户。我试着做
package com.zaitsava.springboot_touristsite.controller;
import com.zaitsava.springboot_touristsite.entity.CartItem;
import com.zaitsava.springboot_touristsite.entity.CurrentUser;
import com.zaitsava.springboot_touristsite.entity.User;
import com.zaitsava.springboot_touristsite.service.ShoppingCartService;
import com.zaitsava.springboot_touristsite.service.UserServiceImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import java.util.List;
@Controller
public class ShoppingCartController {
@Autowired
private ShoppingCartService cartService;
@Autowired
private UserServiceImpl userService;
@GetMapping("/cart")
public String showCart(Model model,@CurrentUser User user){
if(user==null) System.out.println("User is null");
List<CartItem> cartItemList=cartService.cartItemList(user);
model.addAttribute("cartItems",cartItemList);
return "user/cart";
}
}
通过当前用户的注解
package com.zaitsava.springboot_touristsite.entity;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import java.lang.annotation.*;
@Target({ElementType.PARAMETER, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@Documented
@AuthenticationPrincipal
public @interface CurrentUser {}
但是,我得到一个空用户,即使我通过 id 为 4 的用户登录。我也尝试通过参数
public String showCart(Model model,Principal principal){
Authentication authentication = (Authentication) principal;
User user= (User) authentication.getPrincipal();
//остальной код
}
但后来我收到有关不正确类型转换的错误
更新 了添加的 Spring Security 设置
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
@Autowired
private DataSource dataSource;
private final String USERS_QUERY = "select email, password, active from user where email=?";
private final String ROLES_QUERY = "select u.email, r.role from user u inner join user_role ur on (u.id = ur.user_id) inner join role r on (ur.role_id=r.role_id) where u.email=?";
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication()
.usersByUsernameQuery(USERS_QUERY)
.authoritiesByUsernameQuery(ROLES_QUERY)
.dataSource(dataSource)
.passwordEncoder(bCryptPasswordEncoder);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/user/cart").authenticated()
.antMatchers("/login").permitAll()
.antMatchers("/signup").permitAll()
.antMatchers("favicon.ico").permitAll()
/* .antMatchers("/admin/**").access("hasRole('ADMIN')")*/
.antMatchers("/main/**").hasAuthority("ADMIN").anyRequest()
.authenticated().and().csrf().disable()
.formLogin().loginPage("/login").permitAll().failureUrl("/login?error=true")
.defaultSuccessUrl("/")
.usernameParameter("email")
.passwordParameter("password")
.and().logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/")
.and().rememberMe()
.tokenRepository(persistentTokenRepository())
.tokenValiditySeconds(60 * 60)
.and().exceptionHandling().accessDeniedPage("/access_denied");
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/images/**")
.antMatchers("/fonts/**");
}
@Bean
public PersistentTokenRepository persistentTokenRepository() {
JdbcTokenRepositoryImpl db = new JdbcTokenRepositoryImpl();
db.setDataSource(dataSource);
return db;
}
}
用户控制器:
package com.zaitsava.springboot_touristsite.controller;
import javax.validation.Valid;
import com.zaitsava.springboot_touristsite.entity.User;
import com.zaitsava.springboot_touristsite.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.validation.BindingResult;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.servlet.ModelAndView;
@Controller
public class UserController {
@Autowired
private UserService userService;
@GetMapping("/signup")
public ModelAndView signup() {
ModelAndView model = new ModelAndView();
User user = new User();
model.addObject("user", user);
model.setViewName("user/signup");
return model;
}
@PostMapping("/signup")
public ModelAndView createUser(@Valid User user, BindingResult bindingResult) {
ModelAndView model = new ModelAndView();
User userExists = userService.findUserByEmail(user.getEmail());
if(userExists != null) {
bindingResult.rejectValue("email", "error.user", "User with this email exists");
}
if(bindingResult.hasErrors()) {
model.setViewName("user/signup");
} else {
userService.saveUser(user);
model.addObject("msg", "User succesful register!");
model.addObject("user", new User());
model.setViewName("redirect:home/main");
}
return model;
}
@GetMapping("/home/main")
public ModelAndView home() {
ModelAndView model = new ModelAndView();
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
User user = userService.findUserByEmail(auth.getName());
model.addObject("userName", "Hello,"+user.getFirstname() + " " + user.getLastname()+" "+user.getPatronymic());
model.setViewName("redirect:/");
return model;
}
@GetMapping("/access_denied")
public ModelAndView accessDenied() {
ModelAndView model = new ModelAndView();
model.setViewName("errors/access_denied");
return model;
}
}
我不明白我需要做什么才能让控制器正常工作
目前,通过html表单向数据库添加新用户时,密码以我在表单中指定的方式写入数据库,但是是否有可能以某种方式使密码立即以加密形式进入数据库?
在用 spring MVC + security + hibernate + thymeleaf 编写的简单 crud 应用程序中组织这个的最佳方法是什么?
大部分例子都是用xml文件写的(或者我没好好搜索),但目前我不知道如何在javaConfig上搞砸这个东西。
链接到git 存储库
BCryptPasswordEncoder bean 和自动装配使用它
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder(12);
}
@Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(bCryptPasswordEncoder());
}
添加用户的html表单
<form action="#" th:action="@{addUser}" th:object="${user}" method="post">
<label for="name">Name</label>
<input type="text" th:field="*{name}" id="name" placeholder="Name">
<span th:if="${#fields.hasErrors('name')}" th:errors="*{name}"></span>
<label for="password">Password</label>
<input type="text" th:field="*{password}" id="password" placeholder="Password">
<span th:if="${#fields.hasErrors('password')}" th:errors="*{password}"></span>
<label for="email">Email</label>
<input type="text" th:field="*{email}" id="email" placeholder="Email">
<span th:if="${#fields.hasErrors('email')}" th:errors="*{email}"></span>
<input type="submit" value="Add User">
</form>
添加新用户的控制器
@GetMapping
public ModelAndView showRegistrationForm(User user) {
ModelAndView modelAndView = new ModelAndView("reg");
modelAndView.addObject("user", user);
return modelAndView;
}
@PostMapping("/newUser")
public String createUser(User user) {
user.getRoleSet().add(roleService.getDefaultRole());
userService.addUser(user);
return "redirect:/index";
}
ps addUser 方法调用服务上的 addUser 方法,该方法又使用 JPA (save(user)) 实现
我是否正确理解了 jwt 在微服务架构中的使用:
在身份验证期间,会为用户创建访问令牌和刷新令牌。刷新令牌存储访问令牌的 id。访问令牌在标头中发送给用户并存储在 WebStorage 或 Cookies 中,而访问令牌存储在某处(数据库或文件)。在服务器上客户端用户的后续请求中,访问令牌被发送到服务器,在那里检查其有效性,然后,如果成功,则检查生命周期,如果有,则发出新的访问令牌。