Spring安全注释无法正常工作

时间:2014-03-26 15:36:24

标签: spring spring-mvc spring-security

我已经尝试过,但似乎我无法使弹簧安全注释工作。我已经参考了很多网站..我似乎无法看到我的代码有什么问题。任何帮助将不胜感激

这是spring security xml 

<security:global-method-security pre-post-annotations="enabled"/>
<security:http auto-config="true" use-expressions="true">
  <security:intercept-url pattern="/login" access="permitAll" />
  <security:intercept-url pattern="/logout" access="permitAll" />
  <security:intercept-url pattern="/accessdenied" access="permitAll" />
  <security:intercept-url pattern="/**/*.css" access="permitAll" />
  <security:intercept-url pattern="/**/*.js" access="permitAll" />
  <security:intercept-url pattern="/**" access="hasRole('LANDING')" />
  <security:form-login login-page="/login" default-target-url="/landing" authentication-failure-url="/login" authentication-success-handler-ref="loginSuccesHandler" />
  <security:logout logout-success-url="/logout" />
</security:http>

这是我的web.xml 

<servlet>
    <servlet-name>dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet
    </servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>
<filter> 
  <filter-name>XSSFilter</filter-name> 
  <filter-class>simptex.my.core.security.filter.XSSFilter</filter-class> 
</filter>
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping> 
  <filter-name>XSSFilter</filter-name> 
  <url-pattern>/*</url-pattern> 
</filter-mapping>
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/dispatcher-servlet.xml
        /WEB-INF/application-security.xml
    </param-value>
</context-param>
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
    <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>

这是一个java代码示例

@PreAuthorize("hasAuthority('ROLE_TELLER')")
@RequestMapping(value = "/urlxxxx" , method = RequestMethod.GET)
public String controlerMethod(HttpServletRequest req, HttpSession session) {


    return "urlxxxx";
}

1 个答案:

答案 0 :(得分:0)

首先,我认为你正在使用错误的表达方式。根据Spring文档here,我没有看到hasAuthority()表达式。但是有一个hasRole()表达式。因此,在您的情况下,我认为您需要将注释更改为@PreAuthorize("hasRole('ROLE_TELLER')")

其次,Spring文档声明:

  

要使用hasPermission()表达式,您必须在应用程序上下文中显式配置PermissionEvaluator

因此,在安全性XML配置中,使用以下bean声明:

<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" />

然后将您的security:global-method-security定义更新为:

<security:global-method-security pre-post-annotations="enabled">
     <security:expression-handler ref="expressionHandler"/>
</security:global-method-security>

这应该足以让默认的Spring Security注释开箱即用。

相关问题
最新问题