Spring security 3.1 + JSF 2.0。 ManagedBeans中注释方法的问题?

时间:2011-09-20 13:37:34

标签: hibernate jsf-2 spring-security

Hy。我想做的是将Spring安全性与Jsf + spring IOC + hibernate应用程序集成。我设法设置了登录页面并过滤了其他一些页面。太好了,但是当我试图将@Secured或@PreAuthorize注释放在managedBeans内的方法上(在Dao的注释内部工作),我意识到它们绝对没有做任何事情。我已经读过我需要FORCE类代理。 Spring使用基于代理的aop,托管bean实现了一个接口,因此使用了jdk动态代理而不是类代理。所以我在配置文件中这样做了:

 <beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:aop="http://www.springframework.org/schema/aop"**    
xsi:schemaLocation="http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd         
http://www.springframework.org/schema/aop 
    http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">

<aop:aspectj-autoproxy proxy-target-class="true"/>
 //the rest of the beans
 </beans>

applicationContext-security Xml如下所示:

  <?xml version="1.0" encoding="UTF-8"?>

 <!-- - Sample namespace-based configuration - - $Id: applicationContext-security.xml 
3019 2008-05-01 17:51:48Z luke_t $ -->

 <beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<global-method-security secured-annotations="enabled"  jsr250-annotations="enabled"/>

<http pattern="/css/**" security="none" />
<http pattern="/pages/login.xhtml" security="none" />

<http auto-config='false'>
    <intercept-url pattern="/pages/customer/**" access='ROLE_SITE_ADMIN' />
    <intercept-url pattern="/pages/department/overhead*" access='ROLE_SITE_ADMIN' />
    <intercept-url pattern="/**"
        access='ROLE_SITE_ADMIN,ROLE_PROJECT_MANAGER,ROLE_DEPARTMENT_MANAGER,ROLE_ACCOUNTING' />
    <form-login login-page="/pages/login.xhtml"
        default-target-url='/pages/reports.xhtml' always-use-default-target='true'
        authentication-failure-handler-ref="userLoginService" />
    <logout invalidate-session="true" logout-success-url="/pages/login.xhtml"/>
</http>

<authentication-manager>
    <authentication-provider user-service-ref='userLoginService'>
        <password-encoder hash="md5" />
    </authentication-provider>
</authentication-manager>

<beans:bean id="userLoginService" class="com.evozon.demo.bean.SecureLoginService">
    <beans:property name="defaultFailureUrl" value="/pages/login.xhtml" />
    <beans:property name="userDao" ref="userDao" />
    <beans:property name="loginReportDao" ref="loginReportDao" />
</beans:bean>
 </beans:beans>

有人可以告诉我为什么注释在托管bean中不起作用,以及如何解决问题?例如:

    @PreAuthorize("ROLE_PROJECT_MANAGER")
public void aproveVacation(Vacation vacation) {...}

THX

1 个答案:

答案 0 :(得分:0)

问题已经解决。解决方案是将Managed bean转换为Spring bean。方法如下:
web.xml不需要jsf监听器只有sprin的那些:

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
    <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>

应用程序上下文首先需要此配置才能工作:

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd         
http://www.springframework.org/schema/aop 
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
http://www.springframework.org/schema/tx 
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
 http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">


<context:component-scan base-package="com.company.demo.bean" />
<context:annotation-config />
<aop:config proxy-target-class="true" />
//other configs
</beans>

请注意,前两个需要为spring bean(对于Components)定义基础包,并且需要注释bean。需要第三个配置来强制类代理here is why you need that
Ok.once我们知道我们将注释从jsf managedBeans更改为Spring组件:

@ManagedBean
@SessionScoped
public class UserLoginBean {

@ManagedProperty(name = "userDao", value = "#{userDao}")
private UserDao userDao; 
}

到:

@Component
@Scope("session")
@Qualifier("userLoginBean")
public class UserLoginBean  {

@Autowired
private UserDao userDao;
}

这就是全部。如果您已经使用此配置并且无法正常工作,则应将<aop:config proxy-target-class="true" />设置为applicationContext.xml。

相关问题
最新问题