我尝试使用Spring Security(3.2.4)来授权访问控制器方法。我使用Spring JavaConfig配置我的应用程序。应用程序启动成功,遗憾的是@PreAuthoize表达式永远不会被执行。
以下是我如何配置我的应用程序:
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[] {WebSecurityConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class<?>[] {WebAppConfig.class};
}
@Override
protected String[] getServletMappings() {
return new String[] {"/"};
}
}
public class WebAppSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
}
@Configuration
@EnableWebMvc
@Import({ CoreAppConfig.class })
@ComponentScan(basePackageClasses = ControllerScanningMarker.class)
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebAppConfig extends WebMvcConfigurerAdapter {
}
目前,我实际上并未对任何用户进行身份验证,因此我预计对所有人都会拒绝访问@PreAuthorize带注释的控制器方法,但这种情况并未发生。显然,最终目标是实际验证用户身份。
@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void registerGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
}
@Controller
@RequestMapping(produces = APPLICATION_JSON_VALUE)
public class RegistrationController {
@Autowired
private RegistrationService registrationService;
@PreAuthorize("hasRole('ROLE_USER')")
@RequestMapping(value = "/orders/{orderId}/registrations", method = POST, consumes = APPLICATION_JSON_VALUE)
@ResponseBody
public RegistrationResponse registerVerification(@PathVariable String orderId, @RequestBody @Valid Registration registration) {
RegistrationResult result = registrationService.registerVerification(registration);
return new RegistrationResponse(result);
}
}
如果有人之前见过这样的话,我会非常感谢小费。
谢谢。
2014年11月7日更新
我已经重新审视了这个并修复了未找到身份验证管理器的问题,但我仍然无法使@PreAuthorize注释生效(请参阅上面的所有更改)。
我在日志中收到以下警告:
00:04:06.090 [localhost-startStop-1] INFO org.springframework.web.context.support.AnnotationConfigWebApplicationContext - Bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler@5c694679' of type [class org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
00:04:06.154 [localhost-startStop-1] INFO org.springframework.web.context.support.AnnotationConfigWebApplicationContext - Bean 'enableGlobalAuthenticationAutowiredConfigurer' of type [class org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$EnableGlobalAuthenticationAutowiredConfigurer] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
00:04:06.161 [localhost-startStop-1] INFO org.springframework.web.context.support.AnnotationConfigWebApplicationContext - Bean 'org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration' of type [class org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$$EnhancerByCGLIB$$47d25495] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
00:04:06.188 [localhost-startStop-1] INFO org.springframework.web.context.support.AnnotationConfigWebApplicationContext - Bean 'org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration' of type [class org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration$$EnhancerByCGLIB$$6313a932] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
00:04:06.223 [localhost-startStop-1] INFO org.springframework.web.context.support.AnnotationConfigWebApplicationContext - Bean 'methodSecurityMetadataSource' of type [class org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
00:04:06.229 [localhost-startStop-1] INFO org.springframework.web.context.support.AnnotationConfigWebApplicationContext - Bean 'metaDataSourceAdvisor' of type [class org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
答案 0 :(得分:0)
我能够在我的实现中为我的应用程序定义用户和角色
我的安全配置器类中的protected void configureGlobal(AuthenticationManagerBuilder auth)。
auth.inMemoryAuthentication().withUser("user").roles("user","otherrole").and().withUser("user2").roles("otherrole")
@PreAuthorize("hasRole('ROLE_USER')")注释拒绝访问user2,但拒绝访问带注释的控制器方法的用户
答案 1 :(得分:0)
@EnableGlobalMethodSecurity(prePostEnabled = true)在java config中工作