堆栈内存溢出
  简体   繁体   English

Spring 对方法的安全注解是如何工作的?

[英]How do Spring's security annotations on methods work?

 原文  2011-07-12 14:40:56       java/ annotations/ spring-security/ authorization

问题描述

Consider this code:考虑这段代码:

import java.util.Collections;

import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.userdetails.User;

public class SecureStuff {
    @PreAuthorize("#user.password == #oldPassword")
    public static void changePassword(User user, String oldPassword, String newPassword){
       System.out.print("Changing passwords ...");
    }

    public static void main(String[] args) {
        User joe = new User("Joe", "HansWurst", true, true, true, true, Collections.EMPTY_LIST);
        changePassword(joe, "HansWurst", "TeeWurst");
    }

}

I ran the code in STS (SpringSource Tool Suite) and it worked as expected.我在 STS(SpringSource Tool Suite)中运行了代码,它按预期工作。 (It printed "Changing passwords..." .) Then I renamed the password to something else, expecting the method call to fail now. (它打印了"Changing passwords..." 。)然后我将密码重命名为其他内容,希望方法调用现在失败。

I have already added the line <global-method-security pre-post-annotations="enabled"/> to my applicationContext-security.xml configuration file.我已经将行<global-method-security pre-post-annotations="enabled"/>添加到我的applicationContext-security.xml配置文件中。

What am I missing here?我在这里想念什么?

2 个解决方案

解决方案1
 6 已采纳  2011-07-12 14:51:05

  1. These annotations don't work on static methods这些注释不适用于static方法
  2. To make these annotations work you need to declare your object as a bean of the application context (the one with <global-method-security> element), and call the annotated method on the instance obtained from the context.要使这些注释起作用,您需要将 object 声明为应用程序上下文的一个 bean(具有<global-method-security>元素的那个),并在从上下文中获得的实例上调用带注释的方法。

Basically, these annotations are based on Spring AOP support and inherit all limitations of a proxy-based AOP .基本上,这些注释基于 Spring AOP 支持并继承了基于代理的 AOP的所有限制。 For better understanding you can take a look at the Spring AOP documentation .为了更好地理解,您可以查看Spring AOP 文档

解决方案2
 1  2012-04-07 08:05:26

@PreAuthorize does work on static methods, but you need to set the mode of global-method-security to aspectj @PreAuthorize 确实适用于 static 方法,但您需要将 global-method-security 的模式设置为 aspectj

    <global-method-security pre-post-annotations="enabled" mode="aspectj"/>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用注解将Spring安全性配置为在处女座上工作? - How do I configure Spring security to work on Virgo - using annotations? 如何创建用于 spring 安全表达式语言注释的自定义方法 - How to create custom methods for use in spring security expression language annotations @PostFilter 和 @PreFilter 如何在 Spring Security 中工作? - How do @PostFilter and @PreFilter work in Spring Security? 什么是注释,它们如何真正适用于像Spring这样的框架? - What are annotations and how do they actually work for frameworks like Spring? 如何使用批注(无xml)配置spring-security? - How to configure spring-security with annotations (no xml)? Spring Security 注解的排序 - Ordering of Spring Security annotations 我为 Spring Security 结合了 XML 和注释,但它不起作用 - I combine XML and annotations for Spring Security and it does not work 如何在春季安全性中使用“注释”将通道安全性添加为https? - How to add channel security as https in spring security using “annotations”? Spring Security - 如何启用Method Security注释? - Spring Security - how I can enable Method Security annotations? 用户注释如何工作? - How do user annotations work?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM