安全注释 - 不能安全

Question

我有一个问题，使用：@Secured({"ROLE_ADMIN"})以上的受保护的方法。

我登录与ROLE_EMPLOYEE，我仍然能运行方式与注释：@Secured({"ROLE_ADMIN"})

这是我的配置：

<security:global-method-security secured-annotations="enabled" /> 
<bean id="affiliatesApi" class="com.affiliates.api.AffiliatesApi" /> 

这是我AffiliatesApi类

public class AffiliatesApi extends BaseApplicationAPI<Object> { 
@Secured({"ROLE_ADMIN"}) 
    public ResultContainer getAll(IFilter filter) { 
     ISecurityFilter securityFilter = (ISecurityFilter)SecurityUtills.getSecurityFilter(); 
     return affiliateDao.getAll(Affiliate.class,securityFilter,filter); 
    } 
} 

我从另一个包中调用附属公司API，如下所示：

@Controller 
@RequestMapping("/api/affiliates") 
public class AffiliatesController extends BaseController{ 

    @Resource(name="affiliatesApi") 
    AffiliatesApi affiliatesApi = new AffiliatesApi(); 

     @RequestMapping(value = "/get") 
    public ModelAndView get(@RequestParam(value="id",required=false) String){ 
      affiliatesApi.getAll(filter); 
     } 
} 

这是我的整个安全：

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
      http://www.springframework.org/schema/security 

      http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 
    <security:global-method-security secured-annotations="enabled" /> 
    <security:http auto-config="true" use-expressions="true" 
     access-denied-page="/Management/auth/denied"> 

     <security:intercept-url pattern="/Management/auth/login" 
      access="permitAll" /> 
     <security:intercept-url pattern="/Management/main/admin" 
      access="hasRole('ROLE_EMPLOYEE')" /> 
     <security:intercept-url pattern="/Management/api/affiliates/**" 
      access="hasRole('ROLE_EMPLOYEE')" /> 

     <security:form-login login-page="/Management/auth/login/" 
      authentication-failure-url="/Management/auth/login?error=true" 
      login-processing-url="/Management/auth/j_spring_security_check" 
      default-target-url="/Management/auth/login?error=false" /> 
     <security:logout invalidate-session="true" 
      logout-success-url="/Management/auth/login/" logout-url="/Management/auth/logout" /> 
    </security:http> 

    <security:authentication-manager> 
     <security:authentication-provider 
      user-service-ref="customUserDetailsService"> 
      <security:password-encoder ref="passwordEncoder" /> 
     </security:authentication-provider> 
    </security:authentication-manager> 

    <bean 
     class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" 
     id="passwordEncoder" /> 


    <bean id="customUserDetailsService" class="com.affiliates.service.CustomUserDetailsService" /> 


    <bean id="affiliatesApi" class="com.affiliates.api.AffiliatesApi" /> 


</beans> 

这是我的web.xml：

<?xml version="1.0" encoding="UTF-8"?> 
<web-app id="WebApp_ID" version="2.4" 
    xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> 

    <filter> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
    </filter> 

    <filter-mapping> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 

    <context-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value> 
     /WEB-INF/spring-security.xml 
     /WEB-INF/applicationContext.xml 
     </param-value> 
    </context-param> 

    <context-param> 
     <param-name>log4jConfigLocation</param-name> 
     <param-value>/WEB-INF/classes/log4j-myapp.properties</param-value> 
    </context-param> 

    <servlet> 
     <servlet-name>spring</servlet-name> 
     <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
     <load-on-startup>1</load-on-startup> 
    </servlet> 

    <servlet-mapping> 
     <servlet-name>spring</servlet-name> 
     <url-pattern>/Management/*</url-pattern> 
    </servlet-mapping> 

    <listener> 
     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
    </listener> 

</web-app> 

这是在加载的汤姆猫我收到excepton：

Mar 7, 2011 5:44:57 PM org.apache.catalina.core.StandardContext listenerStart 
SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener 
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'affiliatesController': Injection of resource dependencies failed; nested exception is org.springframework.beans.factory.BeanNotOfRequiredTypeException: Bean named 'affiliatesApi' must be of type [com.affiliates.api.AffiliatesApi], but was actually of type [$Proxy44] 
    at org.springframework.context.annotation.CommonAnnotationBeanPostProcessor.postProcessPropertyValues(CommonAnnotationBeanPostProcessor.java:300) 
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1074) 
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:517) 
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456) 
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291) 
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) 
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288) 
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190) 
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:580) 
    at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:895) 
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:425) 
    at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276) 
    at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197) 
    at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47) 
    at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4521) 
    at org.apache.catalina.core.StandardContext$1.call(StandardContext.java:5004) 
    at org.apache.catalina.core.StandardContext$1.call(StandardContext.java:4999) 
    at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) 
    at java.util.concurrent.FutureTask.run(FutureTask.java:166) 
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) 
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) 
    at java.lang.Thread.run(Thread.java:636) 
Caused by: org.springframework.beans.factory.BeanNotOfRequiredTypeException: Bean named 'affiliatesApi' must be of type [com.affiliates.api.AffiliatesApi], but was actually of type [$Proxy44] 
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:349) 
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194) 
    at org.springframework.context.annotation.CommonAnnotationBeanPostProcessor.autowireResource(CommonAnnotationBeanPostProcessor.java:435) 
    at org.springframework.context.annotation.CommonAnnotationBeanPostProcessor.getResource(CommonAnnotationBeanPostProcessor.java:409) 
    at org.springframework.context.annotation.CommonAnnotationBeanPostProcessor$ResourceElement.getResourceToInject(CommonAnnotationBeanPostProcessor.java:541) 
    at org.springframework.beans.factory.annotation.InjectionMetadata$InjectedElement.inject(InjectionMetadata.java:147) 
    at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:84) 
    at org.springframework.context.annotation.CommonAnnotationBeanPostProcessor.postProcessPropertyValues(CommonAnnotationBeanPostProcessor.java:297) 
    ... 21 more 

spring servlet：

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd"> 

    <!-- Declare a view resolver --> 
    <bean id="viewResolver" 
     class="org.springframework.web.servlet.view.InternalResourceViewResolver" 
     p:prefix="/WEB-INF/pages/" p:suffix=".jsp" /> 

</beans> 

Answer 1

改性弹簧servlet.xml中：

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" 
    xmlns:context="http://www.springframework.org/schema/context" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
     http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
     http://www.springframework.org/schema/context 
     http://www.springframework.org/schema/context/spring-context-3.0.xsd"> 


    <!-- Declare a view resolver --> 
    <bean id="viewResolver" 
    class="org.springframework.web.servlet.view.InternalResourceViewResolver" 
    p:prefix="/WEB-INF/pages/" p:suffix=".jsp" /> 

    <!- scan annotated controllers --> 
    <context:component-scan base-package="com.affiliates"/

</beans>