@PreAuthorize在Spring上不起作用

时间:2014-12-02 14:57:49

标签: spring spring-security

我实现了spring security 3.2.5但不幸的是@PreAuthorize对类和方法不起作用。当我从文档中读到时,如果用户在注释中指定了角色,@ PreRuthorize应允许方法和类工作但我能够运行所有方法或类而没有任何角色差异。你可以看到security-config.xml和security.context.xml以及我在下面声明@PreAuthorize注释的类。如果你能帮我解决这个问题,我会很高兴的。

安全-config.xml中

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans 
xmlns="http://www.springframework.org/schema/security" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
    http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-3.2.xsd
    http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-4.0.xsd">

<http pattern="/securityNone" security="none" />

<http use-expressions="true">
    <intercept-url pattern="/**" access="isAuthenticated()" />
    <http-basic />
</http>
<global-method-security pre-post-annotations="enabled" />


<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="alperk" password="123" authorities="ROLE_USER"  />
        </user-service>
    </authentication-provider>
</authentication-manager>

security-context.xml

  <beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:sec="http://www.springframework.org/schema/security"
   xsi:schemaLocation="
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans    /spring-beans-3.1.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<bean id="defaultAuthEventPublisher"     class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher"/>

<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <property name="providers">
        <list>
            <ref bean="authenticationProvider"/>
        </list>
    </property>
    <property name="authenticationEventPublisher" ref="defaultAuthEventPublisher"/>
</bean>
<!-- Authentication service reference -->
<bean id="customUserDetailsService" class="tr.com.sistek.utak.authentication.AuthenticationUserDetailsService"/>

<!-- Authentication yapilirken MD5 password sifreleme kullaniliyor -->
 <bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"/>

<bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="customUserDetailsService"/>
    <!--<property name="passwordEncoder" ref="passwordEncoder"/>-->
</bean>

<bean id="authenticationSuccessHandler" class="tr.com.sistek.utak.authentication.CustomAuthenticationSuccessHandler">
    <property name="defaultTargetUrl" value="/faces/private/MainMenu.jsf"/>
</bean> 

<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
    <property name="exceptionMappings">
        <props>
            <prop key="org.springframework.security.authentication.BadCredentialsException">/login-failure.jsf?err=HATALI_PWD</prop>
            <prop key="org.springframework.security.authentication.CredentialsExpiredException">/change-password.jsf</prop>
            <prop key="org.springframework.security.authentication.LockedException">/login-failure.jsf?err=HESAP_KILITLI</prop>
            <prop key="org.springframework.security.authentication.DisabledException">/login-failure.jsf?err=HESAP_PASIF</prop>
        </props>
    </property>
</bean>

<bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
    <property name="errorPage" value="/error401.jsf"/>
</bean> 

<!-- Login Esnasinda Girilen Bilgileri Kontrol Etmek Icin Kullanilmistir -->
<bean id="customPreAuthenticationLoginHandler" class="tr.com.sistek.utak.authentication.CustomPreAuthenticationLoginHandler">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
    <property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
    <property name="filterProcessesUrl" value="/j_security_check" />

    <property name="sessionAuthenticationStrategy" ref="sas" />

    <property name="postOnly" value="false" />
</bean>

<sec:http pattern="/assets/**" security="none"/>
<sec:http pattern="/images/**" security="none"/>
<sec:http pattern="/resources/**" security="none"/>
<sec:http pattern="/themes/**" security="none"/>
<sec:http pattern="/javax.faces.resource/**" security="none"/>

<sec:global-method-security             
    pre-post-annotations="enabled"
    mode="aspectj"
    proxy-target-class="true">
</sec:global-method-security>


<sec:http auto-config="true" use-expressions="true"  
          authentication-manager-ref="authenticationManager">  


    <sec:intercept-url pattern="/dashboard/**" access="isAuthenticated()"/>
    <sec:custom-filter before="FORM_LOGIN_FILTER" ref="customPreAuthenticationLoginHandler"/>

    <sec:form-login login-page="/login.jsf" 
                    authentication-failure-handler-ref = "authenticationFailureHandler"
                    default-target-url="/faces/private/MainMenu.jsf"/>

    <sec:access-denied-handler ref = "accessDeniedHandler"/>

    <sec:logout invalidate-session="true" 
                logout-success-url="/login.jsf" 
                logout-url="/logout"/>

    <sec:session-management invalid-session-url="/login.jsf" session-authentication-strategy-ref="sas"/>

    <sec:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />

</sec:http>


<bean id="jsfRedirectStrategy" class="tr.com.sistek.utak.jsf.filter.JsfRedirectStrategy"/>

<bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>

<!-- Authentication logout handler -->
<bean id="customAuthenticationLogoutHandler" class="tr.com.sistek.utak.authentication.CustomAuthenticationLogoutHandler"/>

<!-- ******************************************************************* -->
<!-- Concurrent Session Management Configuration-->
<!-- ******************************************************************* -->
<bean id="concurrencyFilter"
      class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <property name="sessionRegistry" ref="sessionRegistry" />
    <property name="expiredUrl" value="/session-expired.jsf" />
    <!-- this permits redirection to session timeout page from javascript/ajax or http -->
    <property name="redirectStrategy" ref="jsfRedirectStrategy" />
</bean>

<bean id="sas" class= "org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
    <property name="maximumSessions" value="1" />
   <!--        <property name="alwaysCreateSession" value="true" />
    <property name="exceptionIfMaximumExceeded" value="true" />-->
</bean>

<bean id="sessionRegistry"
      class="org.springframework.security.core.session.SessionRegistryImpl" />

Bean:

@ManagedBean
@ViewScoped
@PreAuthorize("hasRole('ROLE_ADMIN')")
public class OrderDetView implements Serializable {

...

1 个答案:

答案 0 :(得分:0)

这只是我的第一个想法:

您的注释@ManagedBean@ViewScoped表示您使用的是JSF框架,也许您的OrderDetView bean只是一个JSF bean,而不是一个Spring bean。但@PreAuthorize仅适用于Spring bean。