Spring Security + MVC - @Secured - 已经在* servlet.xml中声明了global-method-security

Question

希望有人可以帮助我。

我正在尝试使用Spring MVC 3.0.8配置Spring Security 3.1，但带注释的控制器不会受到Spring限制的访问。

的web.xml

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/Spring/applicationContext-security.xml
        /WEB-INF/Spring/applicationContext.xml
    </param-value>
</context-param>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<!-- Sitemash -->
<filter>
    <filter-name>sitemesh</filter-name>
    <filter-class>com.opensymphony.module.sitemesh.filter.PageFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>sitemesh</filter-name>
    <url-pattern>/*</url-pattern>
    <!-- <servlet-name>referencia</servlet-name> -->
</filter-mapping>

<!-- Spring Listeners -->

<listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
    <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>

<error-page>
    <error-code>500</error-code>
    <location>/erroInterno.jsp</location>
</error-page>

<servlet>
    <servlet-name>stc</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>stc</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
</welcome-file-list>

<session-config>
    <session-timeout>30</session-timeout>
</session-config>

的applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:p="http://www.springframework.org/schema/p" 
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:oxm="http://www.springframework.org/schema/oxm"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xmlns:task="http://www.springframework.org/schema/task"
    xmlns:security="http://www.springframework.org/schema/security" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
            http://www.springframework.org/schema/oxm http://www.springframework.org/schema/oxm/spring-oxm-3.0.xsd
            http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
            http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
            http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-3.0.xsd">

<!-- import the dataSource definition -->
<import resource="applicationContext-dataSource.xml"/>

<!-- Pacote base que sera scaneada por componentes annotados que serao auto-registrados como Spring beans.-->
<context:component-scan base-package="br.com.cielo.portalcontestacao" />

<!-- Ativa a detecao de annotations nas classes -->
<context:annotation-config />

<!-- Configures the annotation-driven Spring MVC Controller programming model.
Note that, with Spring 3.0, this tag works in Servlet MVC only! -->
<mvc:annotation-driven  />

<!-- Recursos utilizados nos imports das páginas -->
<mvc:resources mapping="/resources/**" location="/static/" cache-period="31556926"/>

<!-- Template para uso nos DAOs -->
<bean id="namedParameterJdbcTemplate" class="org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate">
    <constructor-arg ref="dataSource" />
</bean>

<bean id="jdbcTemplate" class="org.springframework.jdbc.core.JdbcTemplate">
    <constructor-arg ref="dataSource" />
</bean>

<task:executor id="taskExecutor" pool-size="0-3" queue-capacity="0" rejection-policy="CALLER_RUNS" keep-alive="300"/>
<task:annotation-driven executor="taskExecutor" />

<bean id="lobHandler" class="org.springframework.jdbc.support.lob.OracleLobHandler">
</bean>

<!-- Configuração de Locale -->
<bean id="localeResolver" class="org.springframework.web.servlet.i18n.SessionLocaleResolver">
    <property name="defaultLocale" value="pt_BR" />
</bean>

<!-- Annotação para controle de transações na aplicação -->
<tx:annotation-driven transaction-manager="transactionManager"/>

<!-- Indica qual o transaction manager a ser utilizado -->
<bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
    <property name="dataSource" ref="dataSource"/>
    <property name="nestedTransactionAllowed" value="true"/>
</bean>

<!-- Mensagens do sistema --> 
<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
   <property name="basename" value="mensagens" />
</bean>

<bean name="stcProperties" class="br.com.cielo.portalcontestacao.service.utils.STCProperties"/>

<bean name="serviceInvoker" class="br.com.cielo.portalcontestacao.service.ServiceInvokerImpl"/>
</beans>

的applicationContext-security.xml文件

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns="http://www.springframework.org/schema/security" 
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=
    "http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">

<http pattern="/static/**" security="none"/>
<http pattern="/" security="none"/>

<http auto-config='true' disable-url-rewriting="true" use-expressions="true">
    <intercept-url pattern="/pages/login" access="anonymous or fullyAuthenticated" />
    <form-login login-page="/pages/login"  />

    <session-management session-fixation-protection="newSession">
        <concurrency-control max-sessions="1" />
    </session-management>
</http>

<beans:bean id='userDetailsService'
    class="br.com.cielo.portalcontestacao.security.UserDetailsServiceImpl">
    <beans:property name="jdbcTemplate" ref="jdbcTemplate"/>
    <beans:property name="namedParameterJdbcTemplate" ref="namedParameterJdbcTemplate"/>
</beans:bean>

<beans:bean id='stcAuthenticationProvider'
    class="br.com.cielo.portalcontestacao.security.AuthenticationProviderServiceImpl">
    <beans:property name="serviceInvoker" ref="serviceInvoker"/>
    <beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>

<authentication-manager erase-credentials="true">
    <authentication-provider ref='stcAuthenticationProvider' />
</authentication-manager>
</beans:beans>

STC-servlet.xml中

<?xml version="1.0" encoding="UTF-8"?>
<!-- DispatcherServlet application context for web tier. -->
<beans xmlns="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:security="http://www.springframework.org/schema/security" 
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
            http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
            http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
            http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<!--context:annotation-config/-->
<security:global-method-security secured-annotations="enabled"/>

<mvc:view-controller path="/pages/login" view-name="login"/>
<mvc:view-controller path="/pages/home" view-name="index"/>
<mvc:view-controller path="/pages/acessonegado" view-name="acessoNegado"/>

<!-- Declara as Exceptions a serem tratadas pelo framework -->
<!--bean class="br.com.cielo.portalcontestacao.service.exceptions.GenericException">
    <property name="exceptionMappings">
        <props>
            <prop key="java.lang.Exception">dataAccessFailure</prop>
            <prop key="org.springframework.web.servlet.PageNotFound">pageNotFound</prop>
            <prop key="org.springframework.dao.DataAccessException">dataAccessFailure</prop>
            <prop key="org.springframework.transaction.TransactionException">dataAccessFailure</prop>
        </props>
    </property>
</bean-->

<!-- Declaracao dos Views Resolvers utilizados na aplicacao -->
<bean class="org.springframework.web.servlet.view.XmlViewResolver">
    <property name="order" value="0" />
</bean>

<bean class="org.springframework.web.servlet.view.ResourceBundleViewResolver">
   <property name="basename" value="views"/>
   <property name="order" value="1" />
</bean>

<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <property name="viewClass" value="org.springframework.web.servlet.view.JstlView"/>
    <property name="prefix" value="/WEB-INF/jsp/"/>
    <property name="suffix" value=".jsp"/>
    <property name="order" value="0" />
</bean>

<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
    <property name="basename" value="mensagens"/>
</bean>

<bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
     <!-- one of the properties available; the maximum file size in bytes -->
     <property name="maxUploadSize" value="10000000" />
 </bean>
</beans>

以下是我希望Spring Security限制访问的一些类： 导入ommited

ImportacaoArquivo.java

@Secured("ROLE_SCHEDULE")
@Controller
public class ImportacaoArquivo {

    @Secured("ROLE_SCHEDULE")
    @RequestMapping(value = "/pages/schedules", method = RequestMethod.GET)
    public final ModelAndView exibirPageLinks(final HttpServletRequest request) {
        return new ModelAndView("arquivo");
    }
}

Answer 1

<security:global-method-security />应该在声明要保护的bean的相同上下文中声明。

由于你的控制器是在根上下文中声明的（<context:component-scan />），所以也应该在那里声明<security:global-method-security />。

Answer 2

所以，这是我从阅读不同来源收集的信息：

• 您的<security:global-method-security />必须在 stc-servlet.xml
中声明 您的控制器的
• <context:component-scan />必须在 stc-servlet.xml 中声明。对其余bean的扫描可能仍保留在 applicationContext.xml 中。如果您的控制器包含在一个软件包中并且没有其他软件包（例如 br.com.cielo.portalcontestacao.controllers ），这将最有效。
• 同样在 stc-servlet.xml 上，您需要定义<aop:config proxy-target-class="true" />。这指示Spring使用CGLib来建议方法和类，你需要这样做，因为你的控制器没有实现任何接口。

替代解决方案：

• 使用常规 intercept-url 来定义哪些端点必须是安全的。
• 在服务上使用@Secured注释，而不是在控制器上使用它。

Answer 3

从 ImportacaoArquivo.java 文件中的方法中删除'final'关键字：

@Secured("ROLE_SCHEDULE")
@RequestMapping(value = "/pages/schedules", method = RequestMethod.GET)
public ModelAndView exibirPageLinks(final HttpServletRequest request) {
    return new ModelAndView("arquivo");
}