stackoom
  简体   繁体   中英

Spring Security - @Secured works only in mvc Controller

 原文  2011-03-08 11:02:51       java/ spring-mvc/ spring-security

Question


I am using Spring Security + MVC.
The annotation @Secured({ "ROLE_ADMIN" }) works fine only in the controller layer.
If I try to use it in deeper/other layers, I get no security error.
Or if i am trying to use it on "none mvc mapped" methods, I get no security error.
following my xml's config files:
web.xml: 

  <?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
    xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
        /WEB-INF/spring-security.xml
        /WEB-INF/applicationContext.xml
        </param-value>
    </context-param>
    <context-param>
        <param-name>log4jConfigLocation</param-name>
        <param-value>/WEB-INF/classes/log4j-myapp.properties</param-value>
    </context-param>
    <servlet>
        <servlet-name>spring</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>spring</servlet-name>
        <url-pattern>/Management/*</url-pattern>
    </servlet-mapping>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
</web-app>

spring-servlet.xml 

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
         http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context-3.0.xsd">

    <!-- Declare a view resolver -->
    <bean id="viewResolver"
    class="org.springframework.web.servlet.view.InternalResourceViewResolver"
    p:prefix="/WEB-INF/pages/" p:suffix=".jsp" />
     <context:component-scan base-package="com.affiliates" />

</beans>

spring-security.xml 

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/security 

            http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    <security:global-method-security secured-annotations="enabled" />
    <security:http auto-config="true" use-expressions="true"
        access-denied-page="/Management/auth/denied">

        <security:intercept-url pattern="/Management/auth/login"
            access="permitAll" />
        <security:intercept-url pattern="/Management/main/admin"
            access="hasRole('ROLE_EMPLOYEE')" />
        <security:intercept-url pattern="/Management/api/affiliates/**"
            access="hasRole('ROLE_EMPLOYEE')" />

        <security:form-login login-page="/Management/auth/login/"
            authentication-failure-url="/Management/auth/login?error=true"
            login-processing-url="/Management/auth/j_spring_security_check"
            default-target-url="/Management/auth/login?error=false" />
        <security:logout invalidate-session="true"
            logout-success-url="/Management/auth/login/" logout-url="/Management/auth/logout" />
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider
            user-service-ref="customUserDetailsService">
            <security:password-encoder ref="passwordEncoder" />
        </security:authentication-provider>
    </security:authentication-manager>

    <bean
        class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
        id="passwordEncoder" />
    <bean id="customUserDetailsService" class="com.affiliates.service.CustomUserDetailsService" />
</beans>

mvc-dispacher-servlet.xml 

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
    http://www.springframework.org/schema/context
    http://www.springframework.org/schema/context/spring-context-2.5.xsd">

    <context:component-scan base-package="com.affiliates.controllers" />

    <bean id="viewResolver"
        class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="prefix">
            <value>/WEB-INF/pages/</value>
        </property>
        <property name="suffix">
            <value>.jsp</value>
        </property>
    </bean>
</beans>

applocationContext.xml 

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/context
            http://www.springframework.org/schema/context/spring-context-3.0.xsd
            http://www.springframework.org/schema/mvc 
            http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">

    <!-- Activates various annotations to be detected in bean classes -->
    <context:annotation-config />

    <!-- Scans the classpath for annotated components that will be auto-registered 
        as Spring beans. For example @Controller and @Service. Make sure to set the 
        correct base-package -->
    <context:component-scan base-package="com.affiliates" />

    <!-- Configures the annotation-driven Spring MVC Controller programming 
        model. Note that, with Spring 3.0, this tag works in Servlet MVC only! -->
    <mvc:annotation-driven />

</beans>

Here is how i use it: the secured method: 

 @Component
    public  class BrandsApi{
    @Secured({ "ROLE_ADMIN" })
        public ResultContainer getAll() {
            return brandDao.getAll(getSecurityFilter().getBrandSecurityFilter());
        }
    }
}

The caller: 

@Controller
@RequestMapping("/api/brands")
public class BrandsController {
@RequestMapping(value = "/get")
    public ModelAndView get(){
       BrandsApi brandsApi = new BrandsApi();
       brandsApi.getAll();
}
}

So this is my latest update :
Hi,
I have a converted my config into javaconfig file that is working fine.
i debug my application in loading time and i see that the parameter is been transfered.
meaning that the brandsApi is initialized
Code: 

@Configuration
public class SpringJavaConfig { 
    @Bean
    public BrandsApi brandsApi(){
        return new BrandsApi();
    }
}

inside BrandsApi I have a method with @Secured({ "ROLE_ADMIN" }) above it

this is how i call the method: Code: 

ApplicationContext ctx = new AnnotationConfigApplicationContext(SpringJavaConfig.class);
    BrandsApi brandsApi = (BrandsApi)ctx.getBean(BrandsApi.class);
        brandsApi.getAll();

but for some reason i can get inside even though I have logged in ROLE_EMPLOYEE
this is my BrandsApi class:
Code: 

class BrandsApi extends BaseApi{
    @Secured({ "ROLE_ADMIN" })
    public void getAll() {
        System.out.println("Hello");
    }
}

1 answers

solution1
 5 ACCPTED  2011-03-08 11:08:13

The annotation only has an effect if the instance was created by Spring. You must turn every class, where you want to use this, into a bean and register it in the application context.

Also note that the annotation is ignored if you make internal calls: 

 Foo foo = context.getBean( "foo", Foo.class );
 foo.foo(); // <-- annotatoon works here

but if foo() calls this.foo2() , there is no check anymore. So any annotations for foo2() are ignored.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Security @Secured annotation and Scala controller Spring MVC + Security. @Secured + @RequestMapping Spring Security + MVC : same @RequestMapping, different @Secured Spring-Security 3/Spring MVC and the dreaded @Secured/RequestMapping Forbidden with Spring Security and @Secured How to check access token only if resource is secured in spring security? How to apply Spring Security filter only on secured endpoints? Spring Security, secured and none secured access Spring MVC controller inheritance with spring security Spring MVC test controller with spring security
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM