时间戳

首页 > 解决方案 > Spring - 5 getAuthorities() 仍然使用“ROLE_”前缀

java - Spring - 5 getAuthorities() 仍然使用“ROLE_”前缀

问题描述

亲爱的,我正在使用 spring 5,并希望删除 ROLE_ 前缀。因此我使用了“grantedAuthorityDefaults”并将角色前缀设置为“”。不幸的是,当我稍后在SecurityContextHolder.getContext().getAuthentication().getAuthorities()没有登录(公共访问)的页面上调用时,我仍然得到带有“ROLE_”前缀“ROLE_ANONYMOUS”的值,并且我在 JSON Rest 控制器建议中的映射逻辑失败。

我需要在哪些其他地方声明 ROLE 前缀 = "" 的任何命中?

@Configuration
@EnableWebSecurity(debug = true)
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, jsr250Enabled = true)
public class WebSecurityJwtConfiguration extends WebSecurityConfigurerAdapter {
    ...
    @Bean
    public GrantedAuthorityDefaults grantedAuthorityDefaults() {
        return new GrantedAuthorityDefaults("");
    }
    ...
}

@RestControllerAdvice
public class CoreSecurityJsonViewControllerAdviceimplements ResponseBodyAdvice<Object> {

    protected void beforeBodyWriteInternal(MappingJacksonValue mappingJacksonValue, MediaType mediaType, MethodParameter methodParameter, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) {
        if (SecurityContextHolder.getContext().getAuthentication() != null && SecurityContextHolder.getContext().getAuthentication().getAuthorities() != null) {

           // HERE I still get values with "ROLE_" prefix

            Collection<? extends GrantedAuthority> authorities = SecurityContextHolder.getContext().getAuthentication().getAuthorities();
            Class prioritizedJsonView = this.getJsonViews(authorities);
            if (prioritizedJsonView != null) {
                mappingJacksonValue.setSerializationView(prioritizedJsonView);
            }
        }
    }

    protected Class getJsonViews(Collection<? extends GrantedAuthority> authorities) {
        Optional var10000 = authorities.stream().map(GrantedAuthority::getAuthority).map(Role::valueOf).max(Comparator.comparing(Enum::ordinal));
        Map var10001 = View.MAPPING;
        var10001.getClass();
        return (Class)var10000.map(var10001::get).orElse((Object)null);
    }

    @Override
    protected Class getJsonViews(Collection<? extends GrantedAuthority> authorities) {
        return authorities.stream()
                .map(GrantedAuthority::getAuthority)
                .map(Role::valueOf)
                .max(Comparator.comparing(Role::ordinal))
                .map(View.MAPPING::get)
                .orElse(null);
    }
}

标签: javaspring-security

解决方案

是的,那是因为AnonymousAuthenticationFilter Spring Security 使用的内部硬编码了“ROLE_ANONYMOUS”

您可以在WebSecurityConfigurerAdapter中使用此覆盖更改该行为

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.anonymous().authorities("ANONYMOUS"); // or your custom role
}

推荐阅读