我正在使用Spring 4.x并试图让@PreAuthorize工作,但由于某种原因,该程序继续没有例外,好像没有@PreAuthorize。我已经阅读了文档,我在这里查看了其他帖子,但没有用,也不知道我哪里出错了,因为没有报道错误。
我有以下配置:
@EnableGlobalMethodSecurity(securedEnabled=true, prePostEnabled = true, proxyTargetClass = true)
public class WorkInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[] { RootConfig.class };
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class<?>[] { WebConfig.class };
}
@Override
protected String[] getServletMappings() {
return new String[] { "/" };
}
}
和..
@EnableGlobalMethodSecurity(securedEnabled=true, prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
...
}
并在我的控制器中:
@PreAuthorize("#username == authentication.name")
@RequestMapping(value="/{username}", method=GET)
public String viewPrivateProfile(@P("username") @PathVariable String username, Model model) {
logger.debug("Debug: Entered Private Profile!");
return "privateprofile";
}
在日志中,它显示已找到@PreAuthorize:
16:41:43.018 [localhost-startStop-1] DEBUG o.s.s.a.p.PrePostAnnotationSecurityMetadataSource - @org.springframework.security.access.prepost.PreAuthorize(value=#username == authentication.name) found on specific method: public java.lang.String com.work.personnel.ViewController.viewPrivateProfile(java.lang.String,org.springframework.ui.Model)
所以,如果我以“bob”身份登录,我还可以通过以下链接查看'mike的私人资料:
http://localhost:8080/workarea/profile/private/mike
当我的所有其他安全功能(例如authorizeRequests()。antMatchers(...)等)按预期工作时,我可能做错了什么?