基于表达式的访问控制的自定义权限评估程序

时间:2015-10-29 13:32:06

标签: java spring-mvc spring-security

我希望在我的所有控制器方法中使用@PreAuthorize进行访问控制。 为此,我对此blog post

进行了说明

我有以下配置

MethodSecurityConfig.class

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        CustomPermissionEvaluator permissionEvaluator = new CustomPermissionEvaluator();

        DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
        expressionHandler.setPermissionEvaluator(permissionEvaluator);
        return expressionHandler;
    }
}

和我的自定义权限评估程序

public class CustomPermissionEvaluator implements PermissionEvaluator{

    @Override
    public boolean hasPermission(Authentication arg0, Object arg1, Object arg2) {
        // method implementation

    }

    @Override
    public boolean hasPermission(Authentication arg0, Serializable arg1,
            String arg2, Object arg3) {
        // method implementation

    }

}

当我试图运行它时,在创建bean methodSecurityInterceptor

时会出现ERROR
Caused by: java.lang.IllegalArgumentException: An AuthenticationManager is required
    at org.springframework.util.Assert.notNull(Assert.java:112)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.afterPropertiesSet(AbstractSecurityInterceptor.java:131)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1625)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1562)
    ... 50 more

所以我的问题是

是否必须使用基于网络的安全性?

我们不能只使用如here

所示的GlobalMethodSecurityConfiguration

帮助请!!

0 个答案:

没有答案