JSR 250方法级别的安全性在Spring MVC中不起作用
[英]JSR 250 method level security does not work in Spring MVC
问题描述
I try to move from @Configuration based security to JSR 250 method level security. 
我尝试从基于@Configuration的安全性转移到JSR 250方法级别的安全性。 The code below works as follows: 下面的代码如下工作:
Access to my page is configured in configure(HttpSecurity http) inside SecurityConfiguration.class . 在SecurityConfiguration.class内的configure(HttpSecurity http)中configure(HttpSecurity http)对我页面的访问。 Everyone is allowed to access "all" page, if someone try "protected" then the default login page is displayed, if the role is wrong then "Access denied" message is shown. 允许所有人访问“所有”页面,如果有人尝试“受保护”,则显示默认登录页面,如果角色错误,则显示“拒绝访问”消息。 Fine. 精细。
Now, I would like to do exactly the same thing but by using JSR 250 Annotations. 现在,我想做完全一样的事情,但是要使用JSR 250注释。 So: 所以:
I have removed configure(HttpSecurity http) method, added to dispatcher servlet context configuration 我删除了configure(HttpSecurity http)方法,添加到调度程序Servlet上下文配置中
@EnableGlobalMethodSecurity(jsr250Enabled = true, proxyTargetClass = true, mode = AdviceMode.ASPECTJ, prePostEnabled=true)
and obviously @PermitAll and @RolesAllowed inside the controller. 显然是@PermitAll和@RolesAllowed在控制器内部。
These changes do not work properly. 这些更改无法正常工作。 If I try to access any page I am asked about credentials (default login page), If I fill them then I am able to access any page in any role :( 如果我尝试访问任何页面,系统都会询问我有关凭据的信息(默认登录页面),如果我填写它们,则我可以任何角色访问任何页面:(
Have I forgotten about something? 我忘了什么吗?
Thank you in advance for any help you can provide, Marek 预先感谢您提供的任何帮助,Marek
Application Context: 应用环境:
@Import(SecurityConfiguration.class)
public class AppConfiguration {
// entityManagerFactory, transactionManager, localValidatorFactoryBean, methodValidationPostProcessor
}
@Configuration
@EnableWebMvcSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Inject
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("marek").password("123456").roles("USER");
auth.inMemoryAuthentication().withUser("bill").password("123456").roles("ADMIN");
auth.inMemoryAuthentication().withUser("james").password("123456").roles("SUPERADMIN");
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/all**").permitAll();
http.authorizeRequests().antMatchers("/protected/**").access("hasRole('ROLE_ADMIN')");
http.authorizeRequests().antMatchers("/confidential/**").access("hasRole('ROLE_SUPERADMIN')");
http.authorizeRequests().and().formLogin();
}
WebApplicationContext: WebApplicationContext的:
@Configuration
@EnableWebMvc
@EnableGlobalMethodSecurity(jsr250Enabled = true, proxyTargetClass = true, mode = AdviceMode.ASPECTJ, prePostEnabled=true)
@ComponentScan(basePackages = "xxx.xxx.controllers")
public class WebMvcConfiguration extends WebMvcConfigurerAdapter {
// addInterceptors, addViewControllers, templateResolver, templateEngine, thymeleafViewResolver
}
Controller: 控制器:
@Controller
public class HomeController {
@PermitAll
@RequestMapping(value = "/all**", method = RequestMethod.GET)
public String allPage(Model model) {
return "all";
}
@RolesAllowed("ADMIN")
@RequestMapping(value = "/protected**", method = RequestMethod.GET)
public String protectedPage(Model model) {
return "protected";
}
@RolesAllowed("SUPERADMIN")
@RequestMapping(value = "/confidential**", method = RequestMethod.GET)
public String superAdminPage(Model model) {
return "confidential";
}
}
Dependencies: 依赖关系:
<appengine.target.version>1.9.18</appengine.target.version>
<javax.servlet-api.version>3.1.0</javax.servlet-api.version>
<javax.jsr250-api.version>1.0</javax.jsr250-api.version>
<spring.version>4.1.5.RELEASE</spring.version>
<spring.security.version>3.2.6.RELEASE</spring.security.version>
<spring.thymeleaf.version>2.1.4.RELEASE</spring.thymeleaf.version>
<aspectj.version>1.8.5</aspectj.version>
1 个解决方案
解决方案1
1 已采纳 2015-03-25 00:19:25
I noticed that your @ EnableGlobalMethodSecurity annotation uses proxy mode AdviceMode.ASPECTJ but your dependencies don't list AspectJ. 我注意到您的@ EnableGlobalMethodSecurity批注使用代理模式AdviceMode.ASPECTJ,但是您的依赖项未列出AspectJ。
If you're trying to use AspectJ proxies, then you need to provide the dependency and add configuration to compile using AspectJ compiler. 如果您尝试使用AspectJ代理,则需要提供依赖关系并添加配置以使用AspectJ编译器进行编译。
If you do not intend to use AspectJ proxies, then try without the 'mode = AdviceMode.ASPECTJ' parameter. 如果您不打算使用AspectJ代理,请尝试不使用'mode = AdviceMode.ASPECTJ'参数。
Edit - This might not be obvious. 编辑-这可能并不明显。 For using AspectJ proxies, you need to: 要使用AspectJ代理,您需要:
- specify dependencies 指定依赖关系
- provide aspectj plugin configuration to compile with AspectJ compiler 提供AspectJ插件配置以与AspectJ编译器一起编译
Here's an example of maven configuration: Running JDK8 for aspectj 这是Maven配置的示例: 为Aspectj运行JDK8
Here's one for gradle: https://github.com/jigishpa/spring-samples/blob/master/aop/hello/build.gradle 这是一个可供使用的方法: https : //github.com/jigishpa/spring-samples/blob/master/aop/hello/build.gradle
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.