我有一个弹簧控制器,我有一个方法可供管理员用户访问:
@Controller
@RequestMapping("/*")
public class HomeController {
@RequestMapping(value = "addset", method = RequestMethod.GET, consumes = "application/json")
@Secured("ROLE_ADMIN")
public @ResponseBody Message addSet() {
return new Message(100, "Congratulations!", "Set added");
}
}
我的Applicaton.java如下:
@Configuration
@ComponentScan
@EnableAutoConfiguration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Bean
public ApplicationSecurity applicationSecurity() {
return new ApplicationSecurity();
}
@Order(Ordered.HIGHEST_PRECEDENCE)
@Configuration
protected static class AuthenticationSecurity extends
GlobalAuthenticationConfigurerAdapter {
@Autowired
private CustomUserDetailsService users;
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(users);
}
}
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/signup","/about").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic().and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
// @formatter:on
}
}
}
但是,我也可以从普通用户访问该方法。 EnableGlobalMethodSecurity没有任何效果。我怀疑这是因为注释是在Application类上,它具有与HomeController类不同的范围。如果我尝试在HomeController类上移动注释,那么我会收到错误:
Error creating bean with name 'methodSecurityInterceptor' defined in class path resource [org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.class]: Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public org.aopalliance.intercept.MethodInterceptor org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration.methodSecurityInterceptor() throws java.lang.Exception] threw exception; nested exception is org.springframework.beans.factory.BeanCurrentlyInCreationException: Error creating bean with name 'methodSecurityInterceptor': Requested bean is currently in creation: Is there an unresolvable circular reference?
整个错误发生在:http://pastebin.com/NtN7Ai7u
我不确定为什么会发生循环引用。另外,由于我怀疑它的放置不正确,注释是否无效?
更新 之后,结合了@Vaelyr建议的大部分变化,我仍然有相同的结果。
我的Application.java现在是:
@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
我创建了一个新类ApplicationSecurity,如下所示:
@EnableWebSecurity
@Configuration
@Order(1)
@EnableGlobalMethodSecurity(securedEnabled = true)
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private CustomUserDetailsService users;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/signup","/about").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic().and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
//http.sessionManagement().sessionAuthenticationStrategy().
// @formatter:on
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(users);
}
}
我的控制器现在是:
@RestController
public class HomeController {
@RequestMapping(value = "addset", method = RequestMethod.GET, consumes = "application/json")
@Secured("ROLE_ADMIN")
public @ResponseBody Message addSet() {
return new Message(100, "Congratulations!", "Set added");
}
}
如果需要,我可以分享我的CustomUserDetailService或我的Android客户端代码的详细信息。