1. 首页
  2. 问答
  3. 弹簧安全加法不起作用

弹簧安全加法不起作用

2014-03-26 97 views
0

我试过并尝试过,但似乎我无法使弹簧安全注释工作。我已经提到很多网站..我似乎无法看到我的代码有什么问题。任何帮助将非常感激弹簧安全加法不起作用

下面是春季安全XML

<security:global-method-security pre-post-annotations="enabled"/> 
<security:http auto-config="true" use-expressions="true"> 
    <security:intercept-url pattern="/login" access="permitAll" /> 
    <security:intercept-url pattern="/logout" access="permitAll" /> 
    <security:intercept-url pattern="/accessdenied" access="permitAll" /> 
    <security:intercept-url pattern="/**/*.css" access="permitAll" /> 
    <security:intercept-url pattern="/**/*.js" access="permitAll" /> 
    <security:intercept-url pattern="/**" access="hasRole('LANDING')" /> 
    <security:form-login login-page="/login" default-target-url="/landing" authentication-failure-url="/login" authentication-success-handler-ref="loginSuccesHandler" /> 
    <security:logout logout-success-url="/logout" /> 
</security:http>

,这里是我的web.xml

<servlet> 
    <servlet-name>dispatcher</servlet-name> 
    <servlet-class>org.springframework.web.servlet.DispatcherServlet 
    </servlet-class> 
    <load-on-startup>1</load-on-startup> 
</servlet> 
<servlet-mapping> 
    <servlet-name>dispatcher</servlet-name> 
    <url-pattern>/</url-pattern> 
</servlet-mapping> 
<filter> 
    <filter-name>XSSFilter</filter-name> 
    <filter-class>simptex.my.core.security.filter.XSSFilter</filter-class> 
</filter> 
<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter> 
<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 
<filter-mapping> 
    <filter-name>XSSFilter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 
<context-param> 
    <param-name>contextConfigLocation</param-name> 
    <param-value> 
     /WEB-INF/dispatcher-servlet.xml 
     /WEB-INF/application-security.xml 
    </param-value> 
</context-param> 
<listener> 
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
</listener> 
<listener> 
    <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class> 
</listener>

这里是Java代码样本

@PreAuthorize("hasAuthority('ROLE_TELLER')") 
@RequestMapping(value = "/urlxxxx" , method = RequestMethod.GET) 
public String controlerMethod(HttpServletRequest req, HttpSession session) { 


    return "urlxxxx"; 
}

来源

2014-03-26 vincent

回答

0

首先我认为你使用的是错误的表达方式。根据Spring文档here,我没有看到hasAuthority()表达式。然而,有一个hasRole()表达式。所以在你的情况下,我相信你需要将注释更改为@PreAuthorize("hasRole('ROLE_TELLER')")

其次,春节文档状态:

要使用调用hasPermission()的表达式,你必须明确地配置PermissionEvaluator在你的应用环境

所以在您的安全XML配置使用以下bean声明:

<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" />

然后将您的security:global-method-security定义更新为l ook类似于:

<security:global-method-security pre-post-annotations="enabled"> 
    <security:expression-handler ref="expressionHandler"/> 
</security:global-method-security>

这应该足以让默认的Spring Security注释开箱即用。

来源

2014-03-26 16:14:20

相关问题

 相关问题