Spring安全性:基于角色的访问控制

时间:2014-10-22 10:50:46

标签: spring-security

我试图将Spring安全性添加到我的Web应用程序(来自here),该应用程序必须支持角色和权限模型。我不知道配置中缺少的部分在哪里,但@PreAuthorize不起作用,我无法追踪它。 这是我的应用上下文文件。

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd">

    <context:component-scan base-package="com.njb.app" />

    <import resource="db.xml" />

    <bean id="jdbcUserService" 
        class="com.nj.app.SpringSecurityDaoImpl">
          <property name="dataSource" ref="dataSource"/>
          <property name="enableGroups" value="true" />
          <property name="enableAuthorities" value="false" />
          <property name="groupAuthoritiesByUsernameQuery">
               <value>SELECT R.SEC_ROLES, R.SEC_ROLES_ROLE_NAME, RI.SEC_RIGHT_NAME
                FROM SEC_ROLES R 
                JOIN SEC_USER_ROLE UR on R.SEC_ROLES = UR.SEC_ROLE_ID
                JOIN SEC_USERS U on U.SEC_USERS = UR.SEC_USER_ID
                JOIN SEC_ROLE_RIGHT RR ON RR.SEC_ROLE_ID = R.SEC_ROLES
                JOIN SEC_RIGHTS RI ON RI.SEC_RIGHT_ID = RR.SEC_RIGHT_ID
                WHERE U.SEC_USERS_USERNAME=?
            </value>
          </property>
    </bean>

    <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"
        destroy-method="close">
      <property name="driverClassName" value="${jdbc.driverClassName}" />
      <property name="url" value="${jdbc.url}" />
      <property name="username" value="${jdbc.username}" />
      <property name="password" value="${jdbc.password}" />
    </bean> 
</beans>

spring-security文件:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<http auto-config="true" use-expressions="true">
    <!--<intercept-url pattern="/protected.jsf" access="isAuthenticated()" />-->
    <intercept-url pattern="*/user/*" access="hasRole('LIST_USERSSSSS')" />
    <intercept-url pattern="/auth" access="permitAll()" />
</http>

<!-- Use database authentication provider. -->
<authentication-manager>
    <authentication-provider user-service-ref="jdbcUserService">
    </authentication-provider>
</authentication-manager>

db xml 

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd  
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
        http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd" default-autowire="byName">

    <bean id="placeholderConfig"
        class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="location" value="classpath:jdbc.properties" />
    </bean>
        <bean id="loadTimeWeaver" 
       class="org.springframework.instrument.classloading.glassfish.GlassFishLoadTimeWeaver" />

          <bean id="entityManagerFactory"
                class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
              <property name="persistenceUnitName" value="PU" />
          </bean>


    <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"
        destroy-method="close">
        <property name="driverClassName" value="${jdbc.driverClassName}" />
        <property name="url" value="${jdbc.url}" />
        <property name="username" value="${jdbc.username}" />
        <property name="password" value="${jdbc.password}" />
</bean>

  <!-- Transaction manager for JTA  -->
<tx:jta-transaction-manager />
<!-- enable the configuration of transactional behavior based on annotations -->
<tx:annotation-driven />

<!-- checks for @Autowired beans -->
<context:annotation-config/>    

<!-- Scan for Repository/Service annotations -->
<context:component-scan base-package="...dao"/>
<context:component-scan base-package="...service"/>

和web.xml 

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    version="2.5">
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/root-context.xml
            /WEB-INF/spring-security.xml
        </param-value>
    </context-param>

    <!-- Enable Spring Security -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <!-- Allow login pages with JSF which redirects to security check, therefore we have to add the forward entry here -->
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <listener>
        <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
    </listener>

    <servlet>
        <servlet-name>appServlet</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/servlet-context.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
</web-app>

以下是我使用PreAuthorize注释的方式

    @PreAuthorize("hasRole('LIST_USERSS')")
    @RequestMapping(value = "/findAll", method = RequestMethod.GET, produces = {"application/json"})
    @ResponseBody
    public String findAll(HttpServletRequest request) { }

这是请求

http://localhost:8080/app/user/findAll.json?

1 个答案:

答案 0 :(得分:1)

要使@PreAuthorize和类似的注释生效,请添加安全文件:

<global-method-security pre-post-annotations="enabled" />
相关问题
最新问题