忽略了spring mvc中的安全注释

时间:2013-01-18 19:32:13

标签: java spring security spring-mvc annotations

我正在尝试配置spring安全注释,我已经设法在xml中设置spring安全配置(由intercept-url元素配置),但现在我想在我的bean中使用安全注释。但是在尝试访问安全控制器方法而没有记录时,完全忽略了安全注释。 这是我的控制器bean:

package com.bill.controllers;

import org.springframework.security.access.annotation.Secured;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class MainController {

    @Secured({"ROLE_USER"})
    @RequestMapping("/index.html")
    public String main(ModelMap model) {
        model.addAttribute("test", "test");

        return "main";
    }
}

和登录控制器:

package com.bill.controllers;

import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class LoginController {

    @RequestMapping("/login")
    public String login(ModelMap model) {
        return "login";
    }
}

和配置: 的web.xml

<?xml version="1.0" encoding="UTF-8"?>

<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

    <display-name>tests</display-name>

    <servlet>
        <servlet-name>spring</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>spring</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring-servlet.xml,
            /WEB-INF/spring-security.xml
        </param-value>
    </context-param>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

</web-app>

弹簧servlet.xml中

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:jee="http://www.springframework.org/schema/jee" xmlns:lang="http://www.springframework.org/schema/lang"
    xmlns:p="http://www.springframework.org/schema/p" xmlns:tx="http://www.springframework.org/schema/tx"
    xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
        http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd
        http://www.springframework.org/schema/lang http://www.springframework.org/schema/lang/spring-lang.xsd
        http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
        http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd">

    <context:component-scan base-package="com.bill" />

    <context:annotation-config />

    <!-- validation configuration -->
    <bean id="validator"
        class="org.springframework.validation.beanvalidation.LocalValidatorFactoryBean" />

    <mvc:annotation-driven validator="validator" />

    <!-- view configuration for thymeleaf -->
    <bean id="templateResolver"
        class="org.thymeleaf.templateresolver.ServletContextTemplateResolver">
        <property name="prefix" value="/WEB-INF/templates/" />
        <property name="suffix" value=".html" />
        <property name="templateMode" value="HTML5" />
        <property name="characterEncoding" value="UTF-8" />
        <property name="cacheable" value="false" />
    </bean>

    <bean id="templateEngine" class="org.thymeleaf.spring3.SpringTemplateEngine">
        <property name="templateResolver" ref="templateResolver" />
    </bean>

    <bean class="org.thymeleaf.spring3.view.ThymeleafViewResolver">
        <property name="templateEngine" ref="templateEngine" />
        <property name="characterEncoding" value="UTF-8" />
    </bean>

    <!-- messages configuration -->
    <bean id="messageSource"
        class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
        <property name="basename" value="classpath:messages/messages" />
        <property name="defaultEncoding" value="UTF-8" />
    </bean>

    <!-- internalization configuration -->
    <bean id="localeChangeInterceptor"
        class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
        <property name="paramName" value="language" />
    </bean>

    <bean
        class="org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping">
        <property name="interceptors">
            <list>
                <ref bean="localeChangeInterceptor" />
            </list>
        </property>
    </bean>

    <!-- datasource configuration for hibernate 4 -->
    <bean id="dataSource"
        class="org.springframework.jdbc.datasource.DriverManagerDataSource">
        <property name="driverClassName" value="com.mysql.jdbc.Driver" />
        <property name="url" value="jdbc:mysql://localhost:3306/bill" />
        <property name="username" value="root" />
        <property name="password" value="****" />
    </bean>

    <bean id="sessionFactory"
        class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
        <property name="dataSource" ref="dataSource" />
        <property name="packagesToScan" value="com.bill" />
        <property name="hibernateProperties">
            <props>
                <prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
                <prop key="hibernate.show_sql">true</prop>
            </props>
        </property>
    </bean>

    <tx:annotation-driven />

    <bean id="transactionManager"
        class="org.springframework.orm.hibernate4.HibernateTransactionManager">
        <property name="sessionFactory" ref="sessionFactory" />
    </bean>

</beans>

和spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <http auto-config="true">
        <form-login login-page="/login" default-target-url="/index.html" authentication-failure-url="/login" />
        <logout logout-success-url="/index.html" />
        <anonymous granted-authority="ROLE_GUEST" username="Guest"/>
    </http>

    <authentication-manager>
        <authentication-provider>
            <password-encoder hash="sha-256"/>
            <jdbc-user-service data-source-ref="dataSource"
               users-by-username-query="
                  select LOGIN, PASSWORD, 'true' 
                  from USERS where LOGIN=?" 
               authorities-by-username-query="
                  select LOGIN, ROLE from USERS
                  where LOGIN=?" 
            />
        </authentication-provider>
    </authentication-manager>

    <global-method-security secured-annotations="enabled" />

</beans:beans>

如果需要它我也可以在这里粘贴我的pom.xml,但我认为这是我的配置问题(因为没有安全性的这个例子工作正常,并且在xml中配置安全性也可以)。如果有人能告诉我我的错误在哪里,我真的很高兴。

2 个答案:

答案 0 :(得分:6)

您在spring-security.xml中启用了全局方法安全性,该安全性由根Web应用程序上下文处理。

控制器驻留在调度程序servlet上下文中,不受根Web应用程序上下文的bean后处理程序的影响。

因此,您必须在调度程序servlet上下文中声明<security:global-method-security secured-annotations="enabled" />或使用Web级别的spring安全标记(这对于网页来说似乎很自然)。

请参阅Difference between applicationContext.xml and spring-servlet.xml in Spring Framework

从技术上讲,bean post处理器(以及AOP工具)也可以基于每个容器工作 - 因此@Secured@Transactional之类的东西只能在相应注释的相同应用程序上下文中工作 - {已应用{1}} / <security:global-method-security ../>

答案 1 :(得分:0)

您确定正在加载spring-security.xml吗?如果是,那么它正在加载到正确的位置。请查看this以获取一些提示。