Rolevoter不工作

时间:2013-03-07 18:34:01

标签: spring spring-security

我尝试实现角色层次结构,但它不想工作。除此之外,其他一切都很完美。这是我的spring-security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
     xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-3.1.xsd
           http://www.springframework.org/schema/context
           http://www.springframework.org/schema/context/spring-context.xsd">

<!-- Enable method-level security via annotations -->
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled"/>

<!-- Configure form-based authentication -->
<http auto-config="true" use-expressions="true" entry-point-ref="securityEntryPoint" >
    <intercept-url pattern="/resources/script/jquery-ui/**" access="permitAll" />
    <intercept-url pattern="/resources/script/jquery*" access="permitAll" />
    [....]
    <intercept-url pattern="/**" access="isAuthenticated()" />

    <session-management invalid-session-url="/login.jsp?info=invalid" >
        <concurrency-control max-sessions="1" session-registry-alias="sessionRegistry" expired-url="/login.jsp?info=expired" />
    </session-management>

    <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=credentials" />

    <logout logout-url="/logout" invalidate-session="true" logout-success-url="/login.jsp" />

</http>

<!-- Configure a spring security logger listener for logging authentication attempts. -->
<beans:bean id="loggerListener" class="org.springframework.security.access.event.LoggerListener"/>

<!-- Configure a delegating entry point -->
<beans:bean id="securityEntryPoint" class="org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint">

    <!-- Requests of type text/html or application/xhtml+xml should be handled by form-based authentication -->
    <beans:constructor-arg>
        <beans:map>
            <beans:entry>
                <beans:key>
                    <beans:bean class="com.test.security.AcceptHeaderRequestMatcher"/>
                </beans:key>
                <beans:bean class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
                    <beans:property name="loginFormUrl" value="/login.jsp" />
                </beans:bean>
            </beans:entry>
        </beans:map>
    </beans:constructor-arg>

    <!-- Otherwise use BASIC authentication by default -->
    <beans:property name="defaultEntryPoint">
        <beans:bean class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
            <beans:property name="realmName" value="test Web Service" />
        </beans:bean>
    </beans:property>

</beans:bean>

<!-- Configure an authentication manager via our defaultUserService -->
<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="defaultUserService">
        <password-encoder hash="md5" />
    </authentication-provider>
</authentication-manager>

<beans:bean id="accessDecisionManager"  class="org.springframework.security.access.vote.AffirmativeBased">
   <beans:property name="decisionVoters">
       <beans:list>
           <beans:ref bean="roleVoter" />
           <beans:ref bean="authenticatedVoter" />
       </beans:list>
   </beans:property>

   

<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
    <beans:constructor-arg ref="roleHierarchy" />
    <beans:property name="rolePrefix" value="" />
</beans:bean>

<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <beans:property name="hierarchy">
        <beans:value>
            PERM_READ_ALL_USER_LIST > PERM_READ_USER_LIST
        </beans:value>
    </beans:property>
</beans:bean>

如果我尝试访问需要PERM_READ_USER_LIST的资源,@ PreRuthorize(“hasRole('PERM_READ_USER_LIST')”),对于具有PERM_READ_ALL_USER_LIST的用户,它不起作用,但如果他有PERM_READ_USER_LIST,则它有效。显然,rolevoter没有做好自己的工作,但我不知道为什么......

谢谢。

1 个答案:

答案 0 :(得分:1)

您必须为MethodSecurityExpressionHandler指定层次结构明确。

有关详细信息,请参阅此Stack Overflow问题和答案。 How to use role-hierarchy in Spring Security 3 with Spring EL?