我有一个spring-boot Web应用程序,它通过这个类声明了一些安全性:
@Configuration
@EnableWebSecurity
@Order(Ordered.LOWEST_PRECEDENCE - 50) // needs to be after SpringBootAuthenticationConfigurerAdapter to register default in memory user
public class StorefrontSecurityConfig extends GlobalAuthenticationConfigurerAdapter {
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER - 1)
@Configuration
public static class MyStorefrontSecurityConfig extends WebSecurityConfigurerAdapter {
.....
}
一切正常。我还将这些注释添加到我的一些服务方法中:
@PreAuthorize("hasPermission(#entity, 'APPROVE') or hasPermission(#entity, 'ADMINISTRATION') or hasRole('ROLE_ADMINGROUP')")
void approve(final EntityModificationEntityDefinition entity);
@PreAuthorize("hasPermission(#entity, 'APPROVE') or hasPermission(#entity, 'ADMINISTRATION') or hasRole('ROLE_ADMINGROUP')")
void reject(final EntityModificationEntityDefinition entity);
现在他们做得不多 - 这完全没问题。但现在我使用以下配置创建jar文件:
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true, jsr250Enabled = true, prePostEnabled = true)
public class PersonalizationConfig extends GlobalMethodSecurityConfiguration {
private final Logger LOG = LogManager.getLogger(getClass());
/* Global Method Security */
@Override
public AccessDecisionManager accessDecisionManager() {
final List<AccessDecisionVoter<? extends Object>> accessDecisionVoters = new ArrayList<>();
accessDecisionVoters.add(new RoleVoter());
accessDecisionVoters.add(new AuthenticatedVoter());
accessDecisionVoters.add(new PreInvocationAuthorizationAdviceVoter(preInvocationAuthorizationAdvice()));
final UnanimousBased accessDecisionManager = new UnanimousBased(accessDecisionVoters);
accessDecisionManager.setAllowIfAllAbstainDecisions(true);
return accessDecisionManager;
}
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return this.defaultMethodSecurityExpressionHandler();
}
此jar在spring.factories
中有一个META-INF
文件,因此作为一个spring-boot应用程序,@Configuration
被加载。现在我希望当我在类路径中包含这个jar以使@PreAuthorize
注释开始工作时。然而,我看到的是AbstractSecurityExpressionHandler
被调用,它调用抽象方法createSecurityExpressionRoot(authentication, invocation);
,它总是转到DefaultWebSecurityExpressionHandler
而永远不转移到DefaultMethodSecurityExpressionHandler
。我可以看到DefaultMethodSecurityExpressionHandler
是在我的应用程序启动时构建的,所以我真的不确定这里会发生什么。
编辑:这是我的spring.factories
文件:
org.springframework.boot.autoconfigure.EnableAutoConfiguration=com.nemesis.platform.module.personalization.core.config.PersonalizationConfig