我试图使用Spring 3.2.4和Spring Security 3.2使用@Secured注解来保护我的RESTful API。我有以下设置:Spring Security 3.2:@Secured注释未考虑
的web.xml:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath*:spring/*.xml
/WEB-INF/classes/security/security-context.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Servlet configuration -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/servlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
的servlet-context.xml中:
<context:component-scan base-package="com.mycompany.rest.controller" />
<security:global-method-security secured-annotations="enabled" />
安全的context.xml
<beans:bean id="merchantUserDetailsService" class="com.mycompany.rest.security.CustomUserDetailsService" />
<http auto-config="false" create-session="never">
<http-basic />
</http>
<authentication-manager>
<authentication-provider user-service-ref="customUserDetailsService" />
</authentication-manager>
我编程方式分配将customUserDetailsService中的自定义角色(ROLE_GROUP,ROLE_DIVISION,ROLE_READ,ROLE_WRITE)提供给用户,工作正常。
我的一个控制器:
@Secured("ROLE_DIVISION")
@RequestMapping(method = RequestMethod.GET)
ResponseEntity<List<CustomerResource>> getCustomer() throws ResourceDoestNotExistException {
List<Customer> providers = // retrieve providers from DAO
List<CustomerResource> resources = customerResourceAssembler.toResources(customers);
return new ResponseEntity<>(resources, HttpStatus.OK);
}
现在我的问题,@Secured注释被忽略。我想使用@Secured注释来避免在配置中定义多个。当我添加至少一个Spring Security时,Spring Security正常工作,但是如何避免定义它们,而是依赖于@Secured注释?
我现在可以通过角色“ROLE_GROUP”访问上面的方法。
对不起,这是我复制粘贴错误的代码片段(正在尝试的东西)。我更新了原始帖子。 –
没有定义任何是否正确? –
它不应该以任何方式影响方法拦截。如果它被应用,你应该会得到一个异常。如果您确定该方法实际上被调用,请检查它是否实际上被代理(添加一个断点并查看堆栈或添加一个Thread.dumpStack()调用)。 –