spring security注释@Preauthoritze不起作用

时间:2013-02-18 02:23:32

标签: spring-security

我试图使用Spring security 3.1

但是当我获得ROLE_USER权限时

它没有做任何事情(注释@PreAuthorize(“hasRole('ROLE_ADMIN')”))

我正在使用spring 3.1M和springsecurity 3.1

我还需要做其他事吗?

以下是我的springsecurity配置代码

    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xmlns:s="http://www.springframework.org/schema/security"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
                            http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                            http://www.springframework.org/schema/security
                            http://www.springframework.org/schema/security/spring-security-3.1.xsd">

      <s:global-method-security pre-post-annotations="enabled">
        <!-- <s:expression-handler ref="expressionHandler"/> -->
      </s:global-method-security>


        <s:http pattern="/css/**" security="none" />
        <s:http pattern="/js/**" security="none" />
        <s:http pattern="/favicon.ico" security="none" />
        <s:http pattern="/index.jsp" security="none" />

        <s:http auto-config="true" use-expressions="true" access-denied-page="/denied.jsp">

            <s:intercept-url pattern="/web/index" access="permitAll" />
            <s:intercept-url pattern="/web/**" access="isAuthenticated()"/>
            <s:intercept-url pattern="/web/study/*" access="hasRole('ROLE_USER')"/>

            <s:form-login />
            <s:logout />

            <s:session-management>
                <s:concurrency-control
                    error-if-maximum-exceeded="true" max-sessions="1" expired-url="/expired.jsp" />
            </s:session-management>
        </s:http>

        <!-- Declare an authentication-manager to use a custom userDetailsService -->
        <s:authentication-manager>
            <s:authentication-provider user-service-ref="userDetailsService">
                <s:password-encoder ref="passwordEncoder" />
            </s:authentication-provider>
        </s:authentication-manager>

        <!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the 
            database -->
        <bean
            class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
            id="passwordEncoder" />

        <s:authentication-manager alias="authenticationManager">
            <!-- If you want to use a database, then you can use -->
            <s:authentication-provider user-service-ref="userDetailsService">

                <s:password-encoder ref="passwordEncoder" />
            </s:authentication-provider>
        </s:authentication-manager>

    </beans>

和contoroller代码

    package com.app.web.study.language.action;

    import java.util.*;

    import javax.annotation.Resource;
    import javax.servlet.http.HttpServletRequest;
    import org.slf4j.Logger;
    import org.slf4j.LoggerFactory;
    import org.springframework.security.access.annotation.Secured;
    import org.springframework.security.access.prepost.PreAuthorize;
    import org.springframework.stereotype.Controller;
    import org.springframework.transaction.annotation.Transactional;
    import org.springframework.ui.Model;
    import org.springframework.web.bind.annotation.RequestMapping;
    import org.springframework.web.bind.annotation.RequestMethod;
    import org.springframework.web.bind.annotation.RequestParam;
    import com.app.web.common.BaseController;
    import com.app.web.study.language.service.impl.StudyServiceImpl;

    @Controller
    public class StudyController extends BaseController {

        protected static Logger logger = LoggerFactory.getLogger("StudyController");

        @Resource(name="studyServiceImpl")
        private StudyServiceImpl studyServiceImpl;

        @PreAuthorize("hasRole('ROLE_ADMIN')") 
        @RequestMapping(value = "/study/list", method = RequestMethod.GET)
        public String study( Locale locale
                           , Model model 
                           , HttpServletRequest  req) {
            logger.info("study", locale);

            HashMap<String, Object> parameters = new HashMap<String, Object>(); 
            List list = studyServiceImpl.getList(parameters);  

            model.addAttribute("ctx", getCrreuntUrl() );
            model.addAttribute("list", list );

            //model.addAttribute("activeUsers", getlistActiveUsers());

            return "base.study";
        }

    }

2 个答案:

答案 0 :(得分:0)

您是否可能遇到此问题Spring Security FAQ

答案 1 :(得分:0)

您需要为目标类启用代理..

<s:global-method-security pre-post-annotations="enabled" proxy-target-class="true"/>