[英]spring not enforcing method security annotations
I'm some what lost as to why spring isn't enforcing the @Secured("ROLE_USER") on my service interface. 我失去了为什么spring没有在我的服务接口上强制执行@Secured(“ROLE_USER”)。 My controllers are established using annotations. 我的控制器是使用注释建立的。
An example of my service Interface 我的服务接口的一个例子
public interface MyServiceManager {
@Secured("ROLE_USER")
public void delete(int cid);
@RolesAllowed({"ROLE_USER"})
public Contact getContact(int contactId);
}
my security-context: 我的安全上下文:
<global-method-security secured-annotations="enabled" jsr250-annotations="enabled">
</global-method-security>
<http auto-config="true" >
<intercept-url pattern="/secure/**" access="ROLE_SUPERVISOR" />
<intercept-url pattern="/addcontact**" access="IS_AUTHENTICATED_REMEMBERED" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<concurrent-session-control max-sessions="1"
exception-if-maximum-exceeded="true"/>
<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1"/>
<logout logout-success-url="/welcome.do" logout-url="/logout"/>
</http>
<authentication-provider>
<password-encoder hash="md5"/>
<user-service>
<user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
</user-service>
</authentication-provider>
Do you have the statement 你有声明吗?
<global-method-security secured-annotations="enabled" jsr250-annotations="enabled" />
in the same configuration file as the one you defined the MyServiceManager bean? 在与您定义MyServiceManager bean的配置文件相同的配置文件中? I had the same problem until I turned on debug for org.springframework, and noticed that spring security was only applied on the same file as the ones where global-method-security was defined in. 在我打开org.springframework的调试之前,我遇到了同样的问题,并注意到spring安全性仅应用于与定义了global-method-security的文件相同的文件。
In my case, the exact location of this statement: 在我的情况下,这个声明的确切位置:
<global-method-security secured-annotations="enabled" >
proved to be very important. 事实证明非常重要。 Make sure that you put it after you declare which classes should be scanned and used as controllers. 在声明应扫描哪些类并将其用作控制器之后 ,请确保将其放入。
<context:component-scan base-package="com.test.controller" />
This is the way to make sure that the @Secured annotations will also get into the game 这是确保@Secured注释也将进入游戏的方法
After doing more research on this problem I came to the following conclusion/solution. 在对这个问题做了更多的研究之后,我得出了以下结论/解决方案。 I'm not sure if it's 100% correct..but it works. 我不确定它是否100%正确..但是它有效。
I put all of my configuration in the dispatcher-servlet.xml file. 我将所有配置都放在dispatcher-servlet.xml文件中。 So instead of having a disptacher-servlet.xml and application-context.xml. 因此,不要使用disptacher-servlet.xml和application-context.xml。 The dispatcher-servlet.xml is loaded by the application (contextConfigLocation). dispatcher-servlet.xml由应用程序加载(contextConfigLocation)。 Within the dispatcher-servlet.xml I import my security-context.xml and datasource-context.xml. 在dispatcher-servlet.xml中,我导入了security-context.xml和datasource-context.xml。 Afer that, everything works. 一切都行之有效。
I had this same problem. 我有同样的问题。 Using the information from Kent Lai's reply here, I was able to fix it. 使用Kent Lai在这里回复的信息,我能够解决它。
I put the <global-method-security>
element in my app-servlet.xml
but kept the security definitions separate in security.xml
, where web.xml
has contextConfigLocation
for app-servlet.xml
and security.xml
. 我把<global-method-security>
元素在我的app-servlet.xml
,但保持安全定义在不同的security.xml
,在web.xml
具有contextConfigLocation
为app-servlet.xml
和security.xml
。
Works like a charm now! 现在就像魅力一样!
Did you use something like this in your web.xml 你在web.xml中使用过类似的东西吗?
<servlet>
<servlet-name>name</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/webmvc-config.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
I'm not sure why, but if I use the DispatcherServlet I was not able to enforce Security annotations 我不知道为什么,但是如果我使用DispatcherServlet,我就无法强制执行安全注释
Try putting the annotations on the implementation class instead of the interface and see if that works. 尝试将注释放在实现类而不是接口上,看看是否有效。 I ended up doing that on a recent project because I was also using the @Transactional attribute on my service layer, and the Spring docs recommend putting those on the class and not the interface. 我最近在最近的一个项目上做了这个,因为我也在我的服务层上使用了@Transactional属性,Spring文档建议把它们放在类而不是接口上。 I don't know if the same issue might apply to @Secured, but I wanted to keep the annotations in the same place. 我不知道同样的问题是否适用于@Secured,但我想将注释保留在同一个地方。 See the Spring Docs 请参阅Spring Docs
Regarding Kent Lai's answer...that is a good idea...make sure that your security config file is actually being included by Spring. 关于Kent Lai的答案......这是一个好主意......确保你的安全配置文件实际上是Spring包含的。
I had this same problem. 我有同样的问题。 After I added: 我添加后:
<context:annotation-config />
in my spring-security.xml file it disappeared. 在我的spring-security.xml文件中它消失了。
Hope this will help someone :) 希望这会帮助别人:)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.