@PreAuthorize不起作用。可能是什么问题?

时间:2015-08-22 12:58:10

标签: java spring spring-mvc spring-security

有一个管理页面,我使用@PreAuthorize注释添加了角色ROLE_ADMIN,但没有此角色的用户也可以访问此页面。

此安全上下文文件

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
                   http://www.springframework.org/schema/beans/spring-beans.xsd
                   http://www.springframework.org/schema/security
                   http://www.springframework.org/schema/security/spring-security-4.0.xsd">

<security:global-method-security
    pre-post-annotations="enabled" secured-annotations="enabled" />

<security:http auto-config="true" use-expressions="true">
    <security:intercept-url pattern="/app/login"
        access="permitAll" />

    <security:intercept-url pattern="/app/admin"
        access="hasRole('ROLE_USER') and over18" />

    <security:intercept-url pattern="/app/**"
        access="hasRole('ROLE_USER')" />

    <security:form-login login-page="/app/login"
        default-target-url="/app/base/" always-use-default-target="true"
        authentication-failure-url="/app/login?error=true" />

    <security:logout delete-cookies="JSESSIONID"
        logout-success-url="/app/logout" />

    <security:access-denied-handler
        error-page="/app/User/error/403" />

    <security:remember-me key="webapp-key" />
    <security:expression-handler ref="expressionHandler" />
</security:http>


<bean id="daoAuthenticationProvider"
    class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="userDetailsService"></property>
</bean>

<bean class="org.springframework.security.authentication.ProviderManager">
    <constructor-arg>
        <list>
            <ref bean="daoAuthenticationProvider" />
        </list>
    </constructor-arg>
</bean>


<security:authentication-manager>
    <security:authentication-provider
        user-service-ref="userDetailsService">
        <security:password-encoder hash="md5"></security:password-encoder>
    </security:authentication-provider>
</security:authentication-manager>

</beans>

,控制器是:

@Controller
@RequestMapping("/admin")
public class AdminController {

@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping
public String showAdminPage(){
    return "adminPage";
}
}

编辑:

flag

我添加了代码来检查用户和授权的权限,然后我将它们打印出来。这是输出

*************************************** [ROLE_USER] uddeshya *************************************** for 

System.out.println("***************************************\n\n\n");  
System.out.println(SecurityContextHolder.getContext() 
.getAuthentication().getAuthorities()); 
System.out.println(principal.getName()); System.out.println("\n
\n\n***************************************");

1 个答案:

答案 0 :(得分:2)

要在Spring MVC控制器中使用基于anotation的方法安全性,需要在DispatcherServlet的上下文配置文件中设置以下内容。

<security:global-method-security
    pre-post-annotations="enabled" secured-annotations="enabled" />

好像你把它放到不同的配置文件中。

相关问题
最新问题