如何检查方法级弹簧安全性

Question

I have implemented spring security in controller method.

Below is my spring security.xml

-->

<!-- URL pattern based security -->
<security:http auto-config="false" entry-point-ref="authenticationEntryPoint"
    use-expressions="true">
    <custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
    <security:intercept-url access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" pattern="/common/admin/**" />
    <security:intercept-url pattern="/common/accounting/**" access="hasRole('ROLE_USER')" />
    <security:logout logout-url="/j_spring_security_logout" invalidate-session="true" logout-success-url="/login"/>

</security:http>

Below is my controller

@Secured({"ROLE_ADMIN"})
@RequestMapping(value = "/common/admin/addAdmin", method = RequestMethod.GET)
public String add(ModelMap map) {
    map.addAttribute(new Administrator());
    return "/common/admin/addAdmin";
}

@Secured({"ROLE_ADMIN"})
@RequestMapping(value = "/common/admin/addAdmin", method = RequestMethod.POST)
public String processadd(
        @ModelAttribute("administrator") Administrator administrator) {
    this.administratorManager.addAdmin(administrator);
    return "/common/admin/success";
}

I allow the url /common/admin/** for both admin and user role. But i do some restriction in the admin controller. when user is go in to /common/admin/* as a user role, he can but he can also go in to method that is only for admin role only.

How can I solve it?

Thanks!

Answer 1

You already have added the @Secured annotation.

But you need to enable it:

<!-- secured-annotations = (@Secured("ROLE_ADMIN")) -->
<!-- jsr250-annotations = (@RunAs @RolesAllowed @PermitAll @DenyAll @DeclareRoles) -->
<!-- pre-post-annotations = @PreAuthorized("hasAuthority('ROLE_ADMIN')") -->
<global-method-security
    secured-annotations="enabled" 
    jsr250-annotations="disabled"
    pre-post-annotations="disabled">        
</global-method-security>

@Secured can take a single or several roles.

• @Secured("ROLE_USER")
• @Secured({"ROLE_USER", "ROLE_ADMIN"}) //grand access if the user has one of this roles

BWT: From Spring Security 3 Book (http://www.springsecuritybook.com/):

The @Secured annotation is functionallz and syntactiallz the same as @RollesAllowed ... As @Secured functions the same as the JSR standard @RollesAllowed there's not reallz a compelling reason to use it ( @Secured ) in in new code...

(do not forgett to enable it jsr250-annotations="enabled" )

Answer 2

I believe you could have multiple roles defined with @Secured annotation . Is this what you need?

If this is the case , try @RolesAllowed

Answer 3

Check this FAQ . Make sure the global-method-security element is in the web context file if you want to apply security to Spring MVC controllers.

Also, you may need to enable class proxying, using

<global-method-security secured-annotations="enabled" proxy-target-class="true" />

if your controller implements an interface and the method you are securing is not part of that interface (you'll also need cglib as an additional dependency in your app for this).

Answer 4

IF you want to use annotations, better put the following in servlet.xml. There is no point of enabling the annotations n spring-security-xml as it will not take any effect.

Putting above in servlet.xml will do the trick.