Spring Security中的@PreAuthorize注释不起作用。可能是配置错误的.xml文件

时间:2015-10-30 09:59:44

标签: spring spring-security spring-boot pre-authentication

我正在使用AngularJS的Spring Security(Spring Boot应用程序),我试图根据用户授予的权限允许/拒绝访问特定的映射。

User.java

public class User implements UserDetails {
    ...
    private String username;
    private String password;
    private boolean enabled;
    private List<GrantedAuthority> grantedAuthorities;

    public User(...) {...}

    private class Permission implements GrantedAuthority {
        String permission;

        public Permission(String permission) {
            this.permission = permission;
        }

        @Override
        public String getAuthority() {
            return permission;
        }
    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return grantedAuthorities;
    }
    ...
}

此外,我有自己的UserDetailsService(方法loadUserByUsername(String username))实现,它使用数据库中的数据填充用户数据。

之前提到的映射是:

@RequestMapping("yes")
public void doesHaveAuthority() {yes();}

@PreAuthorize("hasAuthority('10001')")
private void yes() {}

@RequestMapping("no")
public void doesntHaveAuthority() {no();}

@PreAuthorize("hasAuthority('00000')")
private void no() {}

如果用户具有权限“10001”,但没有权限“00000”,则应允许访问/yes,但不应访问/no。不幸的是,这两条路径都是允许的。

我有spring-security-config作为maven依赖关系here

我的WEB-INF / web.xml

<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
        http://java.sun.com/xml/ns/javaee
        http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/security.xml</param-value>
    </context-param>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

</web-app>

和WEB-INF / security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd">

    <context:component-scan base-package="com.mycompany.project" />

    <global-method-security pre-post-annotations="enabled" />

</beans:beans>

所以,总结一下:UserDetailsS​​ervice实现工作(我可以使用用户凭据登录并且记录器打印授予权限,所以我知道他们在那里),但是用户可以访问yes/no路径实际上他/她不应该访问/no,因为他/她没有权限(权限)“00000”。

可能我的xml配置不正确或根本没有读取。

感谢您的时间

UPDATE 正如M. Deinum在评论中所说,Spring Boot忽略了web.xml和security.xml文件。解决方法是修改扩展SecurityConfiguration的{​​{1}}并添加相应权限的相应antMatchers。

示例:

WebSecurityConfigurerAdapter

1 个答案:

答案 0 :(得分:2)

用户&#34;我们是Borg&#34;让我发布解决方案作为答案,所以在这里:

基本上,由于我的应用程序是Spring Boot应用程序,因此忽略了(忽略了我的.xml配置文件)。解决方案非常简单:扩展WebSecurityConfigurerAdapter并覆盖configure(HttpSecurity)方法。覆盖它时,请确保用户具有访问路径的权限和/或权限(antMatchers)。看起来应该是这样的:

SecurityConfiguration.java

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.httpBasic().and()
            .authorizeRequests()
            .antMatchers("/login.html", "/index.html", "/").permitAll()
            .antMatchers("/yes").hasAuthority("10001")
            .antMatchers("/no").hasAuthority("00000")
            .anyRequest().authenticated();
    }

}

您不再需要@PreAuthorize注释,也不需要.xml配置文件(security.xml,web.xml等等)

祝你好运;)