![](/img/trans.png)
[英]Spring Security, Method Security annotation (@Secured ) is not working (java config)
[英]Spring Security, annotation @Secured is not working
我正在使用Spring MVC 。
@Secured注釋不起作用。
我嘗試了很多選擇,但似乎沒有任何效果。 告訴我,我做錯了什么?
我正在查看此頁面 - Spring Security,方法安全注釋(@Secured)不起作用(java config)它對我沒有幫助。
. . .
這是我的github代碼。 https://github.com/MyTestPerson/securede
個人類
@Controller
public class Personal {
@GetMapping(value = "/personal")
public ModelAndView personalGet () {
ModelAndView modelAndView = new ModelAndView("/personal");
modelAndView.addObject("msg", myMsg());
return modelAndView;
}
@Secured(value = {"ROLE_ADMIN"})
private String myMsg() {
return "Hello USER!!!";
}
}
安全配置類
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserDetailsService userDetailsService;
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.mvcMatchers("/").permitAll()
.mvcMatchers("/personal/**").hasAnyRole("ADMIN","USER")
.mvcMatchers("/login").anonymous()
.anyRequest()
.authenticated()
.and()
.formLogin()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.deleteCookies("JSESSIONID")
.invalidateHttpSession(true);
}
}
根配置類
@EnableWebMvc
@Configuration
@ComponentScan("com.securede.security")
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class RootConfig implements WebMvcConfigurer {
@Bean
public PasswordEncoder encoder() {
return new BCryptPasswordEncoder();
}
}
用戶詳細信息.class
@Service
public class UserDetail implements UserDetailsService {
@Autowired
PasswordEncoder passwordEncoder;
@Override
public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
return new org.springframework.security.core.userdetails.User(
"user",
passwordEncoder.encode("user"),
true,
true,
true,
true,
getAuthorities());
}
private Collection<? extends GrantedAuthority> getAuthorities(){
List<SimpleGrantedAuthority> authList = new ArrayList<>();
authList.add(new SimpleGrantedAuthority("ROLE_USER"));
return authList;
}
}
當您調用安全方法時
modelAndView.addObject("msg", myMsg());
您實際上是在調用本地方法(就像調用this.myMsg()
),完全繞過了 Spring Security 的注釋處理。
如果將myMsg()
方法移動到服務層(即在UserDetailsService
),將其注入控制器,然后調用該方法,則可以實現您的目標:
@Controller
public class Personal {
@Autowired
UserDetailsService userDetailsService;
@GetMapping(value = "/personal")
public ModelAndView personalGet () {
ModelAndView modelAndView = new ModelAndView("/personal");
modelAndView.addObject("msg", userDetailsService.myMsg());
return modelAndView;
}
}
為了實現您想要的,您還可以在控制器方法級別使用@PreAuthorization
注釋。 例子:
@PreAuthorization("hasRole('ROLE_ADMIN')")
@GetMapping(value = "/personal")
public ModelAndView personalGet () {..}
Spring 不能在私有方法上應用基於注解的邏輯。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.