我试图使用Spring security 3.1
但是当我获得ROLE_USER权限时
它没有做任何事情(注释@PreAuthorize(“hasRole('ROLE_ADMIN')”))
我正在使用spring 3.1M和springsecurity 3.1
我还需要做其他事吗?
以下是我的springsecurity配置代码
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:s="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<s:global-method-security pre-post-annotations="enabled">
<!-- <s:expression-handler ref="expressionHandler"/> -->
</s:global-method-security>
<s:http pattern="/css/**" security="none" />
<s:http pattern="/js/**" security="none" />
<s:http pattern="/favicon.ico" security="none" />
<s:http pattern="/index.jsp" security="none" />
<s:http auto-config="true" use-expressions="true" access-denied-page="/denied.jsp">
<s:intercept-url pattern="/web/index" access="permitAll" />
<s:intercept-url pattern="/web/**" access="isAuthenticated()"/>
<s:intercept-url pattern="/web/study/*" access="hasRole('ROLE_USER')"/>
<s:form-login />
<s:logout />
<s:session-management>
<s:concurrency-control
error-if-maximum-exceeded="true" max-sessions="1" expired-url="/expired.jsp" />
</s:session-management>
</s:http>
<!-- Declare an authentication-manager to use a custom userDetailsService -->
<s:authentication-manager>
<s:authentication-provider user-service-ref="userDetailsService">
<s:password-encoder ref="passwordEncoder" />
</s:authentication-provider>
</s:authentication-manager>
<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the
database -->
<bean
class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
id="passwordEncoder" />
<s:authentication-manager alias="authenticationManager">
<!-- If you want to use a database, then you can use -->
<s:authentication-provider user-service-ref="userDetailsService">
<s:password-encoder ref="passwordEncoder" />
</s:authentication-provider>
</s:authentication-manager>
</beans>
和contoroller代码
package com.app.web.study.language.action;
import java.util.*;
import javax.annotation.Resource;
import javax.servlet.http.HttpServletRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.access.annotation.Secured;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import com.app.web.common.BaseController;
import com.app.web.study.language.service.impl.StudyServiceImpl;
@Controller
public class StudyController extends BaseController {
protected static Logger logger = LoggerFactory.getLogger("StudyController");
@Resource(name="studyServiceImpl")
private StudyServiceImpl studyServiceImpl;
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping(value = "/study/list", method = RequestMethod.GET)
public String study( Locale locale
, Model model
, HttpServletRequest req) {
logger.info("study", locale);
HashMap<String, Object> parameters = new HashMap<String, Object>();
List list = studyServiceImpl.getList(parameters);
model.addAttribute("ctx", getCrreuntUrl() );
model.addAttribute("list", list );
//model.addAttribute("activeUsers", getlistActiveUsers());
return "base.study";
}
}
答案 0 :(得分:0)
您是否可能遇到此问题Spring Security FAQ
答案 1 :(得分:0)
您需要为目标类启用代理..
<s:global-method-security pre-post-annotations="enabled" proxy-target-class="true"/>