我有一个带有Spring Security的Java Web应用程序。我使用@PreAuthorize注释,但它不起作用。
我有一个 PermissionResolver 类,它实现 PermissionEvaluator 接口和 AccessClassService ,它使用 @PreAuthorize 注释。< / p>
当我在 PermissionResolver 类中的 hasPermission 方法上设置breakpointes并在调试模式下运行应用程序时,我发现没有调用 hasPermission 方法。
有人能帮助我吗?
我的 securityContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:global-method-security pre-post-annotations="enabled">
<security:expression-handler ref="permissionHandler"/>
</security:global-method-security>
<bean id="permissionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="eval"/>
</bean>
<bean id="eval" class="org.mydomain.myapp.infrastructure.security.PermissionResolver" />
<security:http auto-config="true" use-expressions="true" disable-url-rewriting="true">
<security:intercept-url pattern="/favicon.ico" access="permitAll" />
<security:intercept-url pattern="/resources/**" access="permitAll"/>
<security:intercept-url pattern="/login" access="isAnonymous()"/>
<security:intercept-url pattern="/registration/**" access="isAnonymous()"/>
<security:intercept-url pattern="/restorePassword" access="isAnonymous()"/>
<security:intercept-url pattern="/**" access="isAuthenticated()"/>
<security:form-login login-page="/login" authentication-failure-url="/login?fail" default-target-url="/" />
</security:http>
<security:authentication-manager>
<security:authentication-provider user-service-ref="hibernateUserService" />
</security:authentication-manager>
</beans>
我的 PermissionResolver.java
public class PermissionResolver implements PermissionEvaluator{
@Autowired
private AccessClassService service;
@Override
public boolean hasPermission(Authentication a, Object o, Object o1) {
return false;
}
@Override
public boolean hasPermission(Authentication a, Serializable targetId, String targetType, Object o) {
return false;
}
}
带 @PreAuthorize 注释的服务(包含测试参数)
@Service
public class AccessClassService {
@Autowired
private PersistableDAO dao;
public AccessClass getInitialAccessClass(){
return dao.getOneByAttr(AccessClass.class, "number", 0);
}
@Transactional
@PreAuthorize("hasPermission('12','AccessClass')")
public AccessClass get(Long id){
return dao.get(AccessClass.class, id);
}
public Integer getAccessClassNumber(Long id){
return (Integer)dao.getCriteria(AccessClass.class)
.setProjection(Projections.property("number"))
.add(Restrictions.eq("id", id)).uniqueResult();
}
}
答案 0 :(得分:0)
问题解决了。我不能在PermissionResolver中使用服务。如果我不使用它或使用dao一切都很好