Spring Security允​​许未经授权访问安全方法

时间:2014-07-03 15:37:31

标签: spring spring-mvc spring-security

我正在尝试使用Spring MVC,REST控制器和Spring Data为我的Web应用程序添加安全性。 我遇到的问题是任何人都可以访问使用@PreAuthorized注释的方法(不需要登录)。

我的控制器: 

@RestController
@RequestMapping("/controller")
public class Controller {

@RequestMapping(value = "/public/{name}", method = RequestMethod.GET)
public String storeEntityPublic(@PathVariable String name) {
    String result = "Hello " + name + ", I am saving on the db. (PUBLIC)";
    /* stuff */ 

    return result;
}

@PreAuthorize("hasAnyRole('ROLE_USER,ROLE_ADMIN')")
@RequestMapping(value = "/user/{name}", method = RequestMethod.GET)
public String storeEntityUserOrAdmin(@PathVariable String name) {
    String result = "Hello " + name
            + ", I am saving on the db. (USER OR ADMIN)";
    controller.saveEntity(name);

    return result;
}

@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping(value = "/admin/{name}", method = RequestMethod.GET)
public String storeEntityAdmin(@PathVariable String name) {
    String result = "Hello Admin " + name
        + ", I am saving on the db. (ADMIN ONLY)";
    controller.saveEntity(name);

    return result;
}
}

我的安全配置: 

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">


<global-method-security pre-post-annotations="enabled" />

<http auto-config="true" />

<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
    <authentication-provider>
        <user-service>
            <user name="admin" password="admin" authorities="ROLE_ADMIN" />
            <user name="user" password="user" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
</authentication-manager>
</beans:beans>

我的applicationContext正确导入安全配置文件。

在我的web.xml中,我添加了以下内容:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

最后,我的applicationContext.xml 

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:jpa="http://www.springframework.org/schema/data/jpa"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.2.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.2.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd http://www.springframework.org/schema/data/jpa http://www.springframework.org/schema/data/jpa/spring-jpa.xsd">

<context:property-placeholder location="classpath*:spring/*.properties" />
<context:component-scan base-package="org.my.project" />


<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"
    destroy-method="close">
    <property name="driverClassName" value="${database.driverClassName}" />
    <property name="url" value="${database.url}" />
    <property name="username" value="${database.username}" />
    <property name="password" value="${database.password}" />
    <property name="initialSize" value="3" />
    <property name="maxActive" value="10" />
</bean>

<tx:annotation-driven mode="proxy"
    transaction-manager="transactionManager" />
<bean class="org.springframework.orm.jpa.JpaTransactionManager"
    id="transactionManager">
    <property name="entityManagerFactory" ref="entityManagerFactory" />
</bean>

<bean
    class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"
    id="entityManagerFactory">
    <property name="persistenceUnitName" value="persistenceUnit" />
    <property name="dataSource" ref="dataSource" />
</bean>

<import resource="classpath:spring/applicationContext-jpa.xml" />
<import resource="classpath:spring/applicationContext-security.xml" />
</beans>

项目已正确部署,我没有关于安全性的警告。

1 个答案:

答案 0 :(得分:2)

Spring Security文档说明了带注释的方法:

  

仅对定义为Spring bean的实例(在启用了method-security的同一应用程序上下文中)保护带注释的方法。

我认为您在与定义安全上下文不同的上下文中定义控制器bean。尝试将下面的元素放入上下文中,定义要保护的bean。

<global-method-security pre-post-annotations="enabled" />
相关问题
最新问题