这是我的代码:
@Configuration
@ComponentScan(basePackages = "com.webapp")
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.
authorizeRequests().antMatchers("/resources/**").permitAll().
antMatchers("/admin/**").hasRole("ADMIN").
anyRequest().authenticated().
and().
formLogin().loginPage("/login").permitAll().
and().
logout().permitAll();
}
@Autowired
public void configureGlobal(UserDetailsService userDetailsService, AuthenticationManagerBuilder auth)
throws Exception {
auth.userDetailsService(userDetailsService);
}
}
当request / admin / *进入时,它将通过调用“antMatchers(”/ admin / **“)。hasRole(”ADMIN“)来验证用户是否具有管理员角色。” ,但在我的控制器中,它不会检查用户是否拥有@PreAuthorize的其他权限。
@Controller
@SessionAttributes({ "user" })
@RequestMapping(value = "/admin/user")
public class UserController {
static Logger logger = LoggerFactory.getLogger(UserController.class);
@Autowired
private RoleDAO roleDao;
@Autowired
private MessageSource messageSource;
@Autowired
private UserDAO userDao;
@RequestMapping(value = { "/", "/list" }, method = RequestMethod.GET)
@PreAuthorize("hasRole('USER_VIEW')")
public ModelAndView listUsers() {
List<User> users = userDao.list();
ModelAndView model = new ModelAndView("/admin/user/user-list");
model.addObject("users", users);
if (model.getModel().get("user") == null) {
model.getModel().put("user", new User());
}
this.loadRoles(model);
return model;
}
}
答案 0 :(得分:4)
通常,Spring Security在根应用程序上下文中可用,而Spring MVC bean在子上下文中初始化。
因此org.springframework.security.config.annotation.configuration.AutowireBeanFactoryObjectPostProcessor无法检测到您的控制器bean,因为它们存在于根上下文未知的子上下文中。
@EnableGlobalMethodSecurity或<global-method-security>必须放在Spring MVC配置所在的同一配置类或xml文件中,以启用@PreAuthorize和@PostAuthorize。