@PreAuthorize和RoleHierarchyVoter

时间:2011-10-24 09:33:06

标签: spring spring-security

我在我的question中使用Spring Security中的角色层次结构。当我尝试使用@PreAuthorize("hasRole('ROLE_USER')")保护方法时,我总是遇到AccessDeniedException。但是,如果我将其更改为@Secured("ROLE_USER")

<protect-pointcut
      expression="execution(* my.package.Class.*(..))"
      access="ROLE_GUEST" />

我没有问题。从这个answer开始,除了列出的差异外,两者的行为应该相同。我在这里错过了什么吗?

修改 这是我的配置。

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:context="http://www.springframework.org/schema/context"
  xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

  <http entry-point-ref="entryPoint">
    <anonymous enabled="false" />
  </http>

  <beans:bean id="entryPoint"
    class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />

  <global-method-security secured-annotations="enabled"
    pre-post-annotations="enabled" access-decision-manager-ref="accessDecisionManager">
    <!-- this is disable if I secure with annotation @Secured -->
    <protect-pointcut
      expression="execution(* my.package.Class.*(..))"
      access="ROLE_GUEST" />
  </global-method-security>

  <beans:bean id="accessDecisionManager"
    class="org.springframework.security.access.vote.AffirmativeBased">
    <beans:property name="decisionVoters">
      <beans:list>
        <beans:ref bean="roleHierarchyVoter" />
      </beans:list>
    </beans:property>
  </beans:bean>

  <beans:bean id="roleHierarchyVoter"
    class="org.springframework.security.access.vote.RoleHierarchyVoter">
    <beans:constructor-arg ref="roleHierarchy" />
  </beans:bean>

  <beans:bean id="roleHierarchy"
    class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <beans:property name="hierarchy">
      <beans:value>
        ROLE_USER > ROLE_GUEST
      </beans:value>
    </beans:property>
  </beans:bean>

  <beans:bean id="userDetailsService"
    class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
    <beans:property name="dataSource" ref="dataSource" />
    <beans:property name="enableGroups" value="true" />
    <beans:property name="enableAuthorities" value="false" />
  </beans:bean>

  <authentication-manager>
    <authentication-provider user-service-ref="userDetailsService">
    </authentication-provider>
  </authentication-manager>

</beans:beans>

1 个答案:

答案 0 :(得分:0)

我不太确定你的配置是什么样的,因为你指的是另一篇文章。解决方案可能很简单。将access-decision-manager-ref留作:

<sec:global-method-security
    secured-annotations="enabled" pre-post-annotations="enabled" />

实际上,如果Pre* / Post*注释用于方法安全性,则基于选民的系统并不是必需的。实际上根本没有选民,因此所有其他选民弃权并拒绝访问。

相关问题
最新问题