似乎没事。授权正在运行,用户可以获得角色。我保护了使用注释的方法(例如@PreAuthorize(“hasPermission(#post,'READ')”)),它起作用并且我被拒绝访问。我创建了一个数据库,在其中描述了用户对对象的权限。我创建了一个包含用户对象权限的数据库。
我的问题是,在用户授权后,它没有获得权限,即使用户有权反对,他也会被拒绝访问。此外,我注意到用户登录服务器的日志文件后应该得到一个字符串,该字符串将写出他获得的权限,但我没有这样的行。
我的文件:
的web.xml
...
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security.xml
/WEB-INF/acl-context.xml
/WEB-INF/mvc-dispatcher-servlet.xml
</param-value>
</context-param>...
MVC-调度-servlet.xml中
...
<security:global-method-security pre-post-annotations="enabled">
<security:expression-handler ref="expressionHandler" />
</security:global-method-security>
<context:annotation-config />
<tx:annotation-driven />
<tx:jta-transaction-manager />
<context:component-scan base-package="com.bla-bla.bla.controllers" />
<mvc:annotation-driven />
...
弹簧security.xml文件
...
<security:http auto-config="true" use-expressions="true"
access-denied-page="/auth/denied.html">
<security:intercept-url pattern="/auth/login.html" access="permitAll" />
<security:form-login login-page="/auth/login.html"
authentication-failure-url="/auth/login.html?error=true"
default-target-url="/index.html" />
<security:logout invalidate-session="true"
logout-success-url="/auth/login.html" logout-url="/auth/logout.html" />
</security:http>
<security:authentication-manager>
<security:authentication-provider
user-service-ref="userService">
<security:password-encoder ref="pswEncoder" />
</security:authentication-provider>
</security:authentication-manager>
<bean id="userService"
class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource" ref="jndiJboss" />
<property name="usersByUsernameQuery"
value="SELECT login, pass, enabled FROM accounts WHERE login=?" />
<property name="authoritiesByUsernameQuery"
value="SELECT login, authority FROM accounts WHERE login=?" />
</bean>
<bean
class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
id="pswEncoder" />
...
ACL-context.xml中
...
<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"
p:permissionEvaluator-ref="permissionEvaluator"
p:roleHierarchy-ref="roleHierarchy" />
<bean class="org.springframework.security.acls.AclPermissionEvaluator" id="permissionEvaluator">
<constructor-arg ref="aclService"/>
</bean>
<bean class="org.springframework.security.acls.jdbc.JdbcMutableAclService" id="aclService">
<constructor-arg ref="jndiJboss"/>
<constructor-arg ref="lookupStrategy"/>
<constructor-arg ref="aclCache"/>
</bean>
<bean id="lookupStrategy" class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
<constructor-arg ref="jndiJboss"/>
<constructor-arg ref="aclCache"/>
<constructor-arg ref="aclAuthorizationStrategy"/>
<constructor-arg ref="auditLogger"/>
</bean>
<bean id="jndiJboss" class="org.springframework.jndi.JndiObjectFactoryBean">
<property name="jndiName" value="java:/JBossDB"/>
</bean>
<bean id="aclCache" class="org.springframework.security.acls.domain.EhCacheBasedAclCache">
<constructor-arg>
<bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager">
<bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
</property>
<property name="cacheName" value="aclCache"/>
</bean>
</constructor-arg>
</bean>
<bean id="aclAuthorizationStrategy" class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
<constructor-arg>
<list>
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
<constructor-arg value="ROLE_ADMIN"/>
</bean>
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
<constructor-arg value="ROLE_ADMIN"/>
</bean>
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
<constructor-arg value="ROLE_ADMIN"/>
</bean>
</list>
</constructor-arg>
</bean>
<bean id="auditLogger" class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
<bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<property name="hierarchy">
<value>
ROLE_ADMIN > ROLE_USER
</value>
</property>
</bean>
...
控制器受保护方法的示例
@Override
@RequestMapping(value = "/post/delete.html", method = RequestMethod.GET)
@Transactional
@PreAuthorize("hasPermission(#post, 'READ')")
public String delete(final Post post) {
//some actions
return "post/view";
}
可能是什么问题?
UPD 即可。我的问题是错误的填充acl_object_identity
答案 0 :(得分:0)
发布使用ACL的代码(安全方法调用),并在Spring配置文件中突出显示这些类。另外,为什么要将<security:global-method-security />
元素放在MVC配置文件中?