始终使用DefaultWebSecurityExpressionHandler

时间:2016-03-05 08:54:54

标签: spring-security spring-security-acl

我有一个spring-boot Web应用程序,它通过这个类声明了一些安全性:

 @Configuration
 @EnableWebSecurity
 @Order(Ordered.LOWEST_PRECEDENCE - 50) // needs to be after SpringBootAuthenticationConfigurerAdapter to register default in memory user
 public class StorefrontSecurityConfig extends GlobalAuthenticationConfigurerAdapter {

     @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER - 1)
     @Configuration
     public static class MyStorefrontSecurityConfig extends WebSecurityConfigurerAdapter {
       .....
     }

一切正常。我还将这些注释添加到我的一些服务方法中:

@PreAuthorize("hasPermission(#entity, 'APPROVE') or hasPermission(#entity, 'ADMINISTRATION') or hasRole('ROLE_ADMINGROUP')")
void approve(final EntityModificationEntityDefinition entity);

@PreAuthorize("hasPermission(#entity, 'APPROVE') or hasPermission(#entity, 'ADMINISTRATION') or hasRole('ROLE_ADMINGROUP')")
void reject(final EntityModificationEntityDefinition entity);

现在他们做得不多 - 这完全没问题。但现在我使用以下配置创建jar文件:

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true, jsr250Enabled = true, prePostEnabled = true)
public class PersonalizationConfig extends GlobalMethodSecurityConfiguration {

private final Logger LOG = LogManager.getLogger(getClass());

/* Global Method Security */

@Override
public AccessDecisionManager accessDecisionManager() {
    final List<AccessDecisionVoter<? extends Object>> accessDecisionVoters = new ArrayList<>();
    accessDecisionVoters.add(new RoleVoter());
    accessDecisionVoters.add(new AuthenticatedVoter());
    accessDecisionVoters.add(new PreInvocationAuthorizationAdviceVoter(preInvocationAuthorizationAdvice()));

    final UnanimousBased accessDecisionManager = new UnanimousBased(accessDecisionVoters);
    accessDecisionManager.setAllowIfAllAbstainDecisions(true);

    return accessDecisionManager;
}

@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
    return this.defaultMethodSecurityExpressionHandler();
}

此jar在spring.factories中有一个META-INF文件,因此作为一个spring-boot应用程序,@Configuration被加载。现在我希望当我在类路径中包含这个jar以使@PreAuthorize注释开始工作时。然而,我看到的是AbstractSecurityExpressionHandler被调用,它调用抽象方法createSecurityExpressionRoot(authentication, invocation);,它总是转到DefaultWebSecurityExpressionHandler而永远不转移到DefaultMethodSecurityExpressionHandler。我可以看到DefaultMethodSecurityExpressionHandler是在我的应用程序启动时构建的,所以我真的不确定这里会发生什么。

编辑:这是我的spring.factories文件: org.springframework.boot.autoconfigure.EnableAutoConfiguration=com.nemesis.platform.module.personalization.core.config.PersonalizationConfig

0 个答案:

没有答案