[英]Spring Security: method is not secured with @PreAuthorize annotation
I would like to secure method in my managed session bean for specific role "ROLE_ADMIN"
我想在我的托管会话 bean 中保护特定角色
"ROLE_ADMIN"
config(applicationContext-security.xml):配置(applicationContext-security.xml):
<global-method-security pre-post-annotations="enabled" jsr250-annotations="enabled" secured-annotations="enabled"/>
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()"/>
<intercept-url pattern="/**" access="permitAll()"/>
<form-login
login-processing-url="/j_spring_security_check"
login-page="/login.jsf"
default-target-url="/main.jsf"
authentication-failure-url="/login.jsf" />
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="false" />
</session-management>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="user1" password="user1" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
<beans:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/>
bean's secured method: bean 的安全方法:
@PreAuthorize("hasRole('ROLE_ADMIN')")
public String buy() {
...
}
When I logged in under user1
or as anonym
and click "buy" button on web-page, it still redirected to the next page.当我以
user1
或anonym
身份登录并单击网页上的“购买”按钮时,它仍然重定向到下一页。
I expect that some access denied exception occurred, and it doesn't.我希望发生一些拒绝访问的异常,但事实并非如此。
Remember to enable method level security on your applicationContext-security.xml:请记住在 applicationContext-security.xml 上启用方法级别的安全性:
<sec:global-method-security secured-annotations="enabled" />
If, insted you will use Pre or Post annotations, use:如果您将使用 Pre 或 Post 注释,请使用:
<security:global-method-security pre-post-annotations="enabled"/>
For more on this, see:有关这方面的更多信息,请参阅:
http://forum.springsource.org/showthread.php?t=77862 http://forum.springsource.org/showthread.php?t=77862
Note: For annotations from jsr-250:注意:对于来自 jsr-250 的注释:
<sec:global-method-security jsr250-annotations="enabled" />
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.