在Spring MVC中忽略了安全注释
[英]ignored Security annotations in spring mvc
问题描述
I'm trying to configure spring secure annotations, I already managed to set spring security configuration in xml(configured by intercept-url elements), but now I'm want to use security annotations in my beans. 
我正在尝试配置spring安全注释,我已经设法在xml中设置spring安全配置(由拦截URL元素配置),但是现在我想在我的bean中使用安全注释。 But secured annotation is totaly ignored when try to access secured controller method without logging. 但是,当尝试不登录而访问安全控制器方法时,安全注释将被完全忽略。 Here is my controller bean: 这是我的控制器bean:
package com.bill.controllers;
import org.springframework.security.access.annotation.Secured;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class MainController {
@Secured({"ROLE_USER"})
@RequestMapping("/index.html")
public String main(ModelMap model) {
model.addAttribute("test", "test");
return "main";
}
}
and login controller: 和登录控制器:
package com.bill.controllers;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class LoginController {
@RequestMapping("/login")
public String login(ModelMap model) {
return "login";
}
}
and configurations: web.xml 和配置:web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>tests</display-name>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-servlet.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
spring-servlet.xml spring-servlet.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:jee="http://www.springframework.org/schema/jee" xmlns:lang="http://www.springframework.org/schema/lang"
xmlns:p="http://www.springframework.org/schema/p" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd
http://www.springframework.org/schema/lang http://www.springframework.org/schema/lang/spring-lang.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<context:component-scan base-package="com.bill" />
<context:annotation-config />
<!-- validation configuration -->
<bean id="validator"
class="org.springframework.validation.beanvalidation.LocalValidatorFactoryBean" />
<mvc:annotation-driven validator="validator" />
<!-- view configuration for thymeleaf -->
<bean id="templateResolver"
class="org.thymeleaf.templateresolver.ServletContextTemplateResolver">
<property name="prefix" value="/WEB-INF/templates/" />
<property name="suffix" value=".html" />
<property name="templateMode" value="HTML5" />
<property name="characterEncoding" value="UTF-8" />
<property name="cacheable" value="false" />
</bean>
<bean id="templateEngine" class="org.thymeleaf.spring3.SpringTemplateEngine">
<property name="templateResolver" ref="templateResolver" />
</bean>
<bean class="org.thymeleaf.spring3.view.ThymeleafViewResolver">
<property name="templateEngine" ref="templateEngine" />
<property name="characterEncoding" value="UTF-8" />
</bean>
<!-- messages configuration -->
<bean id="messageSource"
class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="basename" value="classpath:messages/messages" />
<property name="defaultEncoding" value="UTF-8" />
</bean>
<!-- internalization configuration -->
<bean id="localeChangeInterceptor"
class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="language" />
</bean>
<bean
class="org.springframework.web.servlet.mvc.support.ControllerClassNameHandlerMapping">
<property name="interceptors">
<list>
<ref bean="localeChangeInterceptor" />
</list>
</property>
</bean>
<!-- datasource configuration for hibernate 4 -->
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url" value="jdbc:mysql://localhost:3306/bill" />
<property name="username" value="root" />
<property name="password" value="****" />
</bean>
<bean id="sessionFactory"
class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
<property name="dataSource" ref="dataSource" />
<property name="packagesToScan" value="com.bill" />
<property name="hibernateProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
<prop key="hibernate.show_sql">true</prop>
</props>
</property>
</bean>
<tx:annotation-driven />
<bean id="transactionManager"
class="org.springframework.orm.hibernate4.HibernateTransactionManager">
<property name="sessionFactory" ref="sessionFactory" />
</bean>
</beans>
and spring-security.xml 和spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true">
<form-login login-page="/login" default-target-url="/index.html" authentication-failure-url="/login" />
<logout logout-success-url="/index.html" />
<anonymous granted-authority="ROLE_GUEST" username="Guest"/>
</http>
<authentication-manager>
<authentication-provider>
<password-encoder hash="sha-256"/>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="
select LOGIN, PASSWORD, 'true'
from USERS where LOGIN=?"
authorities-by-username-query="
select LOGIN, ROLE from USERS
where LOGIN=?"
/>
</authentication-provider>
</authentication-manager>
<global-method-security secured-annotations="enabled" />
</beans:beans>
If it will be needed I can also paste here my pom.xml, but I think that this is poblem with my configuration(because this example without security works fine, and with security configured in xml it also works). 如果需要的话,我也可以在这里粘贴我的pom.xml,但是我认为这与我的配置有关(因为没有安全性的示例可以正常工作,而在xml中配置了安全性也可以)。 I will be realy glad if someone can tell me where is my mistake. 如果有人可以告诉我我的错误在哪里,我将感到非常高兴。
2 个解决方案
解决方案1
6 已采纳 2013-01-18 19:45:16
You have global method security enabled in the spring-security.xml which is processed by the root web application context. 您在spring-security.xml security.xml中启用了全局方法安全spring-security.xml ,该方法由根Web应用程序上下文处理。
The controllers reside inside the dispatcher servlet context and are unaffected by the bean postprocessors of the root web app context. 控制器位于调度程序Servlet上下文中,并且不受根Web应用程序上下文的Bean后处理器的影响。
So you have to declare <security:global-method-security secured-annotations="enabled" /> inside the dispatcher servlet context or use the web level spring security tags instead(which seems to be natural for the web pages). 因此,您必须在调度程序Servlet上下文中声明<security:global-method-security secured-annotations="enabled" />或使用Web级别的spring安全性标签(这对于Web页面而言似乎很自然)。
See Difference between applicationContext.xml and spring-servlet.xml in Spring Framework 请参阅Spring Framework中applicationContext.xml和spring-servlet.xml之间的区别
Technically the bean post processors(and therefore AOP tools too) work on per container basis - therefore the things like @Secured or @Transactional will only work in the same application context where the respective annotations - <security:global-method-security ../> / <tx:annotation-driven/> have been applied. 从技术上讲,bean后处理器(以及AOP工具也是如此)基于每个容器工作-因此, @Secured或@Transactional类的东西只能在具有相应注释的同一应用程序上下文中工作- <security:global-method-security ../> / <tx:annotation-driven/>已应用。
解决方案2
0 2013-01-18 19:46:51
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.