Spring安全授权问题

时间:2015-03-14 22:08:56

标签: java spring java-ee spring-security java-ee-6

我正在尝试为用户或管理员授权我的休息服务方法。但它似乎没有授权它并传递secure和preAuthorize标签。 

    @Configuration
    @EnableWebSecurity
    @EnableGlobalMethodSecurity(securedEnabled = true,prePostEnabled = true, mode = org.springframework.context.annotation.AdviceMode.ASPECTJ, proxyTargetClass = true)
    public class UserDetailsSecurityConfig extends WebSecurityConfigurerAdapter {
//Some Code Here
    }

我的应用程序配置文件:

@EnableWebMvc
@Configuration
@ComponentScan({ "com.ws.service.*" })
@Import({ UserDetailsSecurityConfig.class })
@javax.ws.rs.ApplicationPath("webresources")
public class AppConfig extends Application {
 //Some Code Here
}

我的休息服务方法:

    @GET
    @Secured("ROLE_ADMIN")
    @PreAuthorize("hasRole('ROLE_ADMIN')")
    @Path("getUser")
    @Produces({"application/xml", "application/json"})
    public User GetUser()  {

         User result;
        try{
             result = new User();
        }catch(NoResultException ne){
              result = null;
        }
        return result;
    }

现在我以管理员用户身份使用ROLE_ADMIN或使用ROLE_USER的简单用户登录。 Spring Security授权此方法。

我已将安全日志更改为正常,因为preAuthorize注释似乎有效。但是,最终会得到相同的结果。

Finest:   Looking for Pre/Post annotations for method 'GetUser' on target class 'class com.ws.service.UserFacadeREST'
Fine:   @org.springframework.security.access.prepost.PreAuthorize(value=hasRole('ROLE_ADMIN')) found on specific method: public com.ws.UpUser com.ws.service.UserFacadeREST.GetUser()
Fine:   Caching method [CacheKey[com.ws.service.UserFacadeREST; public com.ws.User com.ws.service.UserFacadeREST.GetUser()]] with attributes [[authorize: 'hasRole('ROLE_ADMIN')', filter: 'null', filterTarget: 'null']]

当我尝试登录时,它会成功登录。我从"用户"登录谁拥有" ROLE_USER"在数据库中。

Fine:   /login at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
Fine:   /login at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
Fine:   HttpSession returned null object for SPRING_SECURITY_CONTEXT
Fine:   No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@5094f334. A new one will be created.
Fine:   /login at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
Fine:   Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@50da4786
Fine:   /login at position 4 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
Fine:   /login at position 5 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
Fine:   Checking match of request : '/login'; against '/logout'
Fine:   /login at position 6 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
Fine:   Checking match of request : '/login'; against '/login'
Fine:   Request is to process authentication
Fine:   Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
Fine:   Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@72e0fc63
Fine:   Delegating to org.springframework.security.web.csrf.CsrfAuthenticationStrategy@5c8272c1
Fine:   Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4428690f: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: a50e5eecf72b5493c618ffbb20f0; Granted Authorities: ROLE_USER
Fine:   Redirecting to DefaultSavedRequest Url: http://localhost:8080/LmsWebService/webresources/upuser/getUser
Fine:   Redirecting to 'http://localhost:8080/LmsWebService/webresources/upuser/getUser'
Fine:   SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@4428690f: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4428690f: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: a50e5eecf72b5493c618ffbb20f0; Granted Authorities: ROLE_USER'
Fine:   SecurityContextHolder now cleared, as request processing completed
Fine:   /webresources/upuser/getUser at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
Fine:   /webresources/upuser/getUser at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
Fine:   Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@4428690f: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4428690f: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: a50e5eecf72b5493c618ffbb20f0; Granted Authorities: ROLE_USER'
Fine:   /webresources/upuser/getUser at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
Fine:   Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@50da4786
Fine:   /webresources/upuser/getUser at position 4 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
Fine:   /webresources/upuser/getUser at position 5 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
Fine:   Checking match of request : '/webresources/upuser/getuser'; against '/logout'
Fine:   /webresources/upuser/getUser at position 6 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
Fine:   Request 'GET /webresources/upuser/getuser' doesn't match 'POST /login
Fine:   /webresources/upuser/getUser at position 7 of 14 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
Fine:   /webresources/upuser/getUser at position 8 of 14 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
Fine:   /webresources/upuser/getUser at position 9 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
Fine:   pathInfo: arg1=/upuser/getUser; arg2=/upuser/getUser (property equals)
Fine:   queryString: both null (property equals)
Fine:   requestURI: arg1=/LmsWebService/webresources/upuser/getUser; arg2=/LmsWebService/webresources/upuser/getUser (property equals)
Fine:   serverPort: arg1=8080; arg2=8080 (property equals)
Fine:   requestURL: arg1=http://localhost:8080/LmsWebService/webresources/upuser/getUser; arg2=http://localhost:8080/LmsWebService/webresources/upuser/getUser (property equals)
Fine:   scheme: arg1=http; arg2=http (property equals)
Fine:   serverName: arg1=localhost; arg2=localhost (property equals)
Fine:   contextPath: arg1=/LmsWebService; arg2=/LmsWebService (property equals)
Fine:   servletPath: arg1=/webresources; arg2=/webresources (property equals)
Fine:   Removing DefaultSavedRequest from session if present
Fine:   /webresources/upuser/getUser at position 10 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
Fine:   /webresources/upuser/getUser at position 11 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
Fine:   SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4428690f: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: a50e5eecf72b5493c618ffbb20f0; Granted Authorities: ROLE_USER'
Fine:   /webresources/upuser/getUser at position 12 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
Fine:   /webresources/upuser/getUser at position 13 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
Fine:   /webresources/upuser/getUser at position 14 of 14 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
Fine:   Secure object: FilterInvocation: URL: /webresources/upuser/getUser; Attributes: [authenticated]
Fine:   Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4428690f: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: a50e5eecf72b5493c618ffbb20f0; Granted Authorities: ROLE_USER
Fine:   Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3fb68f13, returned: 1
Fine:   Authorization successful
Fine:   RunAsManager did not change Authentication object
Fine:   /webresources/upuser/getUser reached end of additional filter chain; proceeding with original chain
Info:   MonitorFilter::WARNING: the monitor filter must be the first filter in the chain.
Fine:   Chain processed normally
Fine:   SecurityContextHolder now cleared, as request processing completed

任何人都可以告诉我在这一切中我做错了什么。或者Spring Security并不适用于glassfish。

我的环境:

  1. Java EE 1.6
  2. Spring Security
  3. GlassFish Server 4.1
  4. MySql Databse
  5. 的Maven
  6. JPA
    7.   

    编辑#1 

    @Configuration
@EnableWebSecurity
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, mode = org.springframework.context.annotation.AdviceMode.ASPECTJ, proxyTargetClass = true)
public class UserDetailsSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService( new CustomJDBCDaoImpl() );

    }
}

0 个答案:

没有答案
相关问题
最新问题