我使用Spring Security,JAX-RS Jersey提供Java Restful Web服务。我使用@PreAuthorize注释来保护方法安全,但它不起作用。
我有方法,它使用注释@PreAuthorize(“hasRole('ROLE_ADMIN')”),但是拥有ROLE_USER的用户也可以访问此方法。
有人能帮助我吗?
春季版
<spring.version>3.2.8.RELEASE</spring.version>
<spring.security.version>3.2.3.RELEASE</spring.security.version>
我的 spring-security-context.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<http use-expressions="true" auto-config="true">
<intercept-url pattern="/rest/users/list" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')"/>
<intercept-url pattern="/rest/users/add" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/rest/users/update" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')"/>
<intercept-url pattern="/rest/users/**" method="DELETE" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/rest/users/get/**" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')"/>
<intercept-url pattern="/rest/orders/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')"/>
<logout logout-url="/logout"/>
</http>
<security:global-method-security secured-annotations="enabled"
pre-post-annotations="enabled"/>
<beans:bean id="customUserService" class="com.bankproject.services.CustomUserDetailService"/>
<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="user" authorities="ROLE_USER"/>
<user name="admin" password="admin" authorities="ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
<beans:bean id="orderDAO" class="com.bankproject.DAO.Impl.OrderOutputDAOImpl"/>
<beans:bean id="orderManager" class="com.bankproject.services.OrderService"/>
我的 OutputOrderDAOImpl.java
public class OrderOutputDAOImpl implements OrderOutputDAO {
@Override
@PreAuthorize("hasRole('ROLE_ADMIN')")
public List<OrderOutputObject> getOrdersByUsername(String username) throws SQLException {
List<OrderObject> orders = orderDAO.getOrdersByUsername(username);
return getOutputOrders(orders);
}
}
我的 OrderService.java
@Path("/orders")
public class OrderService {
@GET
@Path("/{username}")
@Produces(MediaType.APPLICATION_JSON)
public List<OrderOutputObject> getOrdersForUser(@PathParam("username") String username){
List<OrderOutputObject> orders = new ArrayList<OrderOutputObject>();
try{
orders = orderOutputDAO.getOrdersByUsername(username);
}catch (Exception e){
e.printStackTrace();
}
return orders;
}
}