Spring安全性不支持配置属性

时间:2015-06-28 13:50:29

标签: spring spring-mvc spring-security

我有以下代码段

require Devel::Symdump;
@packs = qw(some_package another_package);
$obj = Devel::Symdump->new(@packs);        # no recursion
$obj = Devel::Symdump->rnew(@packs);       # with recursion
# Methods
@array = $obj->packages;
@array = $obj->scalars;
@array = $obj->arrays;
@array = $obj->hashes;
@array = $obj->functions;
@array = $obj->filehandles;  # deprecated, use ios instead
@array = $obj->dirhandles;   # deprecated, use ios instead
@array = $obj->ios;
@array = $obj->unknowns;     # only perl version < 5.003 had some

当我在服务器上运行它时会抛出异常

  

不支持的配置属性:[permitAll,permitAll,hasRole('ROLE_ADMIN'),hasRole('ROLE_ADMIN'),hasRole('ROLE_MEMBER'),hasRole('ROLE_MEMBER')]

这是我在同一个xml中的access-decision-manager bean 

<http use-expressions="true" auto-config="false"
        entry-point-ref="loginUrlAuthenticationEntryPoint"
        access-decision-manager-ref="accessDecisionManager" disable-url-rewriting="false">
        <!--<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter"
            /> -->
        <custom-filter position="FORM_LOGIN_FILTER"
            ref="usernamePasswordAuthenticationFilter" />
        <custom-filter position="LOGOUT_FILTER" ref="tapLockFilter" />

        <intercept-url pattern="/session/**" access="permitAll" />
        <intercept-url pattern="/deviceregistration/**" access="permitAll" />
        <intercept-url pattern="/session/lock" access="hasRole('ROLE_MEMBER')" />
        <intercept-url pattern="/app/resources/admin*" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/app/SuperAppdashboard*" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/app/*" access="hasRole('ROLE_MEMBER')" />


        <!--<session-management invalid-session-url="/tizelytics/session/invalidSession"
            session-authentication-error-url="/tizelytics/session/accessDenied" session-authentication-strategy-ref="sas">
            </session-management> -->

        <session-management invalid-session-url="/session/invalidSession"
            session-authentication-error-url="/session/accessDenied"
            session-fixation-protection="none">
            <concurrency-control max-sessions="1"
                expired-url="/session/accessExpired" />
        </session-management>
</http>

如果我删除了access-decision-manager-ref ,则不会引发任何异常,应用程序是否可以正常启动?

1 个答案:

答案 0 :(得分:16)

由于您要定义自己的accessDecisionManager,我不会将WebExpressionVoter视为其列表中的一个bean。 WebExpressionVoter解析了permitAll()hasRole()hasAuthority()等字符串。因此,您的accessDecisionManager bean应为:

<beans:bean id="accessDecisionManager"
        class="org.springframework.security.access.vote.AffirmativeBased">
        <beans:constructor-arg>
            <beans:list>
                <beans:bean
                    class="org.springframework.security.access.vote.AuthenticatedVoter" />
                <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
                <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter" />
            </beans:list>
        </beans:constructor-arg>
</beans:bean>
相关问题
最新问题