堆栈内存溢出
  简体   繁体   English

Spring Security:方法不受@PreAuthorize 注释保护

[英]Spring Security: method is not secured with @PreAuthorize annotation

 原文  2011-02-16 21:44:06       java/ spring/ spring-security/ roles/ authorize

问题描述

I would like to secure method in my managed session bean for specific role "ROLE_ADMIN"我想在我的托管会话 bean 中保护特定角色"ROLE_ADMIN"

config(applicationContext-security.xml):配置(applicationContext-security.xml):

<global-method-security pre-post-annotations="enabled" jsr250-annotations="enabled" secured-annotations="enabled"/>
    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/**" access="isAuthenticated()"/>
        <intercept-url pattern="/**" access="permitAll()"/>
        <form-login
         login-processing-url="/j_spring_security_check"
         login-page="/login.jsf"
         default-target-url="/main.jsf"
         authentication-failure-url="/login.jsf" />

    <session-management>
           <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" />
    </session-management>
    </http>


    <authentication-manager alias="authenticationManager">
        <authentication-provider>
            <user-service>
                <user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
                <user name="user1" password="user1" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

    <beans:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/>

bean's secured method: bean 的安全方法:

    @PreAuthorize("hasRole('ROLE_ADMIN')")
    public String buy() {
...
    }

When I logged in under user1 or as anonym and click "buy" button on web-page, it still redirected to the next page.当我以user1anonym身份登录并单击网页上的“购买”按钮时,它仍然重定向到下一页。

I expect that some access denied exception occurred, and it doesn't.我希望发生一些拒绝访问的异常,但事实并非如此。

1 个解决方案

解决方案1
 5 已采纳  2011-02-16 21:47:37

Remember to enable method level security on your applicationContext-security.xml:请记住在 applicationContext-security.xml 上启用方法级别的安全性:

<sec:global-method-security secured-annotations="enabled" />

If, insted you will use Pre or Post annotations, use:如果您将使用 Pre 或 Post 注释,请使用:

<security:global-method-security pre-post-annotations="enabled"/>

For more on this, see:有关这方面的更多信息,请参阅:

http://forum.springsource.org/showthread.php?t=77862 http://forum.springsource.org/showthread.php?t=77862

Note: For annotations from jsr-250:注意:对于来自 jsr-250 的注释:

<sec:global-method-security jsr250-annotations="enabled" />

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在一种方法上结合@Secured和@PreAuthorize批注 - Combining @Secured and @PreAuthorize annotation on one method @PreAuthorize注释不起作用的弹簧安全性 - @PreAuthorize annotation not working spring security Spring Security 中的自定义 PreAuthorize 注释 - Custom PreAuthorize annotation in Spring Security Spring Security,Method Security annotation(@Secured)无效(java config) - Spring Security, Method Security annotation (@Secured ) is not working (java config) Spring Security,注释@Secured 不起作用 - Spring Security, annotation @Secured is not working Spring中的@PreAuthorize和@security批注有什么区别? - What is difference between @PreAuthorize and @security annotation in Spring? 在Spring Security中使用PreAuthorize注释中的permitAll()的目的 - Purpose of using permitAll() in PreAuthorize annotation in Spring Security Spring 安全性:拒绝访问处理程序不起作用(xml 配置 + 控制器方法上的预授权注释) - Spring security : Access denied handler doesn't work (xml config + preauthorize annotation on controller method) 使用Spring Security在@Secured注释中是否允许多个角色 - Are multiple roles allowed in the @Secured annotation with Spring Security Spring Security @Secured 注解和用户权限 - Spring Security @Secured annotation and User authorities
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM