Spring Security-acl。用户未获得许可

时间:2013-06-23 14:19:29

标签: spring spring-security acl

似乎没事。授权正在运行,用户可以获得角色。我保护了使用注释的方法(例如@PreAuthorize(“hasPermission(#post,'READ')”)),它起作用并且我被拒绝访问。我创建了一个数据库,在其中描述了用户对对象的权限。我创建了一个包含用户对象权限的数据库。

我的问题是,在用户授权后,它没有获得权限,即使用户有权反对,他也会被拒绝访问。此外,我注意到用户登录服务器的日志文件后应该得到一个字符串,该字符串将写出他获得的权限,但我没有这样的行。

我的文件:

的web.xml

...
<filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
</filter-mapping>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring-security.xml
        /WEB-INF/acl-context.xml
        /WEB-INF/mvc-dispatcher-servlet.xml 
    </param-value>
</context-param>...

MVC-调度-servlet.xml中

    ...
<security:global-method-security pre-post-annotations="enabled">
    <security:expression-handler ref="expressionHandler" />
</security:global-method-security>

<context:annotation-config />

<tx:annotation-driven />
<tx:jta-transaction-manager />

<context:component-scan base-package="com.bla-bla.bla.controllers" />

<mvc:annotation-driven />
...

弹簧security.xml文件

    ...
<security:http auto-config="true" use-expressions="true"
    access-denied-page="/auth/denied.html">
    <security:intercept-url pattern="/auth/login.html" access="permitAll" />
    <security:form-login login-page="/auth/login.html"
        authentication-failure-url="/auth/login.html?error=true"
        default-target-url="/index.html" />
    <security:logout invalidate-session="true"
        logout-success-url="/auth/login.html" logout-url="/auth/logout.html" />
</security:http>

<security:authentication-manager>
    <security:authentication-provider
        user-service-ref="userService">
        <security:password-encoder ref="pswEncoder" />
    </security:authentication-provider>
</security:authentication-manager>

<bean id="userService"
    class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
    <property name="dataSource" ref="jndiJboss" />
    <property name="usersByUsernameQuery"
        value="SELECT login, pass, enabled FROM accounts WHERE login=?" />
    <property name="authoritiesByUsernameQuery"
        value="SELECT login, authority FROM accounts WHERE login=?" />
</bean>

<bean
    class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
    id="pswEncoder" />
...

ACL-context.xml中

    ...
<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"
    p:permissionEvaluator-ref="permissionEvaluator"
    p:roleHierarchy-ref="roleHierarchy" />

<bean class="org.springframework.security.acls.AclPermissionEvaluator" id="permissionEvaluator">
    <constructor-arg ref="aclService"/>
</bean>

<bean class="org.springframework.security.acls.jdbc.JdbcMutableAclService" id="aclService">
    <constructor-arg ref="jndiJboss"/>
    <constructor-arg ref="lookupStrategy"/>
    <constructor-arg ref="aclCache"/>
</bean>

<bean id="lookupStrategy" class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
    <constructor-arg ref="jndiJboss"/>
    <constructor-arg ref="aclCache"/>
    <constructor-arg ref="aclAuthorizationStrategy"/>
    <constructor-arg ref="auditLogger"/>
</bean>

 <bean id="jndiJboss" class="org.springframework.jndi.JndiObjectFactoryBean">
    <property name="jndiName" value="java:/JBossDB"/>
</bean>

<bean id="aclCache" class="org.springframework.security.acls.domain.EhCacheBasedAclCache">
    <constructor-arg>
        <bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
            <property name="cacheManager">
                <bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
            </property>
            <property name="cacheName" value="aclCache"/>
        </bean>
    </constructor-arg>
</bean>

<bean id="aclAuthorizationStrategy" class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
                <constructor-arg value="ROLE_ADMIN"/>
            </bean>
            <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
                <constructor-arg value="ROLE_ADMIN"/>
            </bean>
            <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
                <constructor-arg value="ROLE_ADMIN"/>
            </bean>
        </list>
    </constructor-arg>
</bean>

<bean id="auditLogger" class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>


<bean id="roleHierarchy"  class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <property name="hierarchy">
        <value>
            ROLE_ADMIN > ROLE_USER
        </value>
    </property>
</bean>
...

控制器受保护方法的示例

@Override
@RequestMapping(value = "/post/delete.html", method = RequestMethod.GET)
@Transactional
@PreAuthorize("hasPermission(#post, 'READ')")
public String delete(final Post post) {
    //some actions
    return "post/view";
}

可能是什么问题?

UPD 即可。我的问题是错误的填充acl_object_identity

1 个答案:

答案 0 :(得分:0)

发布使用ACL的代码(安全方法调用),并在Spring配置文件中突出显示这些类。另外,为什么要将<security:global-method-security />元素放在MVC配置文件中?