我在WebApp中使用Spring Security进行角色检查。
弹簧安全-config.xml中
<http auto-config="true" authentication-manager-ref="adminAuthMgr">
<intercept-url pattern="/admin/**"
access="hasAuthority('PERM_ACCESS_ADMIN_AREA')" />
<form-login login-page="/login" default-target-url="/admin/dashboard"
authentication-failure-url="/login?error"
username-parameter="username" password-parameter="password"
login-processing-url="/j_spring_security_check" />
<logout logout-url="/j_spring_security_logout"
logout-success-url="/login?logout" />
<csrf />
</http>
<global-method-security pre-post-annotations="enabled"/>
<authentication-manager alias="adminAuthMgr">
<authentication-provider
user-service-ref="liveUserDetailsService">
<password-encoder hash="bcrypt" />
</authentication-provider>
</authentication-manager>
用于保护admin / *路径的hasAuthority('PERM_ACCESS_ADMIN_AREA')语句正在运行。
在* .jsp文件中,<sec:authorize access="hasAuthority('PERM_MANAGE_USER')">也正常运行。
但是在尝试保护方法时,它无法正常工作,并且每个人都拥有访问权限,具有已定义的PERM_ACCESS_ADMIN_AREA角色(在上面的xml中定义)。注释中的附加要求将被忽略:
@PreAuthorize("hasAuthority('PERM_CORRECT_EXAMS')")
@RequestMapping("/admin/correction")
public AdminModelAndView index() { ...
有没有人有想法,为什么忽略注释?
<servlet>
<servlet-name>spring-mvc-servlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-mvc-config.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
<async-supported>true</async-supported>
</servlet>
弹簧-MVC-config.xml中
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd ">
<context:component-scan base-package="de.paluno.live" />
<global-method-security pre-post-annotations="enabled"/>
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass"
value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/WEB-INF/views/jsp/" />
<property name="suffix" value=".jsp" />
</bean>
<bean id="multipartResolver"
class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<property name="maxUploadSize" value="100000" />
</bean>
<mvc:resources mapping="/resources/**" location="/resources/" />
<mvc:annotation-driven />
<mvc:interceptors>
<bean
class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="language" />
</bean>
</mvc:interceptors>
</beans>
答案 0 :(得分:0)
感谢M. Deinum,他帮助找到答案。
解决方案:
弹簧安全-config.xml中
<global-method-security pre-post-annotations="enabled"/>
弹簧-MVC-config.xml中
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:global-method-security pre-post-annotations="enabled"/>