[英]Spring Security @PreAuthorize annotaion doesn't work
我有一個帶有Spring Security的Java Web應用程序。 我使用@PreAuthorize批注,但不起作用。
我有一個PermissionResolver類,它實現PermissionEvaluator接口和AccessClassService它使用@PreAuthorize注釋。
當我在PermissionResolver類中的hasPermission方法上設置斷點並以調試模式運行應用程序時,我看到沒有調用hasPermission方法。
有誰能夠幫助我?
我的securityContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:global-method-security pre-post-annotations="enabled">
<security:expression-handler ref="permissionHandler"/>
</security:global-method-security>
<bean id="permissionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="eval"/>
</bean>
<bean id="eval" class="org.mydomain.myapp.infrastructure.security.PermissionResolver" />
<security:http auto-config="true" use-expressions="true" disable-url-rewriting="true">
<security:intercept-url pattern="/favicon.ico" access="permitAll" />
<security:intercept-url pattern="/resources/**" access="permitAll"/>
<security:intercept-url pattern="/login" access="isAnonymous()"/>
<security:intercept-url pattern="/registration/**" access="isAnonymous()"/>
<security:intercept-url pattern="/restorePassword" access="isAnonymous()"/>
<security:intercept-url pattern="/**" access="isAuthenticated()"/>
<security:form-login login-page="/login" authentication-failure-url="/login?fail" default-target-url="/" />
</security:http>
<security:authentication-manager>
<security:authentication-provider user-service-ref="hibernateUserService" />
</security:authentication-manager>
</beans>
我的PermissionResolver.java
public class PermissionResolver implements PermissionEvaluator{
@Autowired
private AccessClassService service;
@Override
public boolean hasPermission(Authentication a, Object o, Object o1) {
return false;
}
@Override
public boolean hasPermission(Authentication a, Serializable targetId, String targetType, Object o) {
return false;
}
}
還有帶有@PreAuthorize批注的服務(帶有測試參數)
@Service
public class AccessClassService {
@Autowired
private PersistableDAO dao;
public AccessClass getInitialAccessClass(){
return dao.getOneByAttr(AccessClass.class, "number", 0);
}
@Transactional
@PreAuthorize("hasPermission('12','AccessClass')")
public AccessClass get(Long id){
return dao.get(AccessClass.class, id);
}
public Integer getAccessClassNumber(Long id){
return (Integer)dao.getCriteria(AccessClass.class)
.setProjection(Projections.property("number"))
.add(Restrictions.eq("id", id)).uniqueResult();
}
}
問題解決了。 我無法在PermissionResolver中使用服務。 如果我不使用它或使用dao,一切都很好
Spring 安全性:拒絕訪問處理程序不起作用(xml 配置 + 控制器方法上的預授權注釋)
[英]Spring security : Access denied handler doesn't work (xml config + preauthorize annotation on controller method)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.