4
我面臨@PreAuthorize註釋的問題。有兩件事情要做。@PreAuthorize不適用於彈簧安全4
檢索所有員工都應該由一個誰擁有權威
USER或ADMIN來完成。刪除員工應該由有權限的人員完成
ADMIN。 我需要使用spring-security-4的方法級別授權。
User.java
package com.nikunj.SpringMethodLevelAuthorization;
public class user {
int id;
String firstName;
String type;
public user(int id, String firstName, String type){
this.id = id;
this.firstName = firstName;
this.type = type;
}
public int getId() {
return id;
}
public void setId(int id) {
this.id = id;
}
public String getFirstName() {
return firstName;
}
public void setFirstName(String firstName) {
this.firstName = firstName;
}
public String getType() {
return type;
}
public void setType(String type) {
this.type = type;
}
}
userService.java
package com.nikunj.SpringMethodLevelAuthorization;
import java.util.Vector;
import org.springframework.security.access.prepost.PreAuthorize;
public interface userService {
@PreAuthorize("hasRole('ADMIN')")
public void deleteUser(int id);
@PreAuthorize("hasRole('ADMIN') or hasRole('USER')")
public Vector<user> getAllUsers();
}
userImplementation.java
package com.nikunj.SpringMethodLevelAuthorization;
import java.util.Vector;
public class userImplementation implements userService {
Vector<user> users;
public userImplementation(){
users = new Vector<user>();
users.add(new user(1,"Nikunj","SE"));
users.add(new user(2,"Abdul","SSE"));
users.add(new user(3,"Mrinal","LSE"));
users.add(new user(4,"Anurag","SE"));
users.add(new user(5,"Naresh","LSE"));
users.add(new user(6,"Mahesh","SE"));
}
public user findById(int id){
for(user u : users){
if(u.getId()==id){
return u;
}
}
return null;
}
public Vector<user> getAllUsers(){
return users;
}
public void deleteUser(int id){
user u = findById(id);
users.remove(u);
}
}
homeController.java
package com.nikunj.SpringMethodLevelAuthorization;
import java.util.Vector;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class HomeController {
userImplementation ui=new userImplementation();
Vector<user> users;
@RequestMapping(value = { "/users" },method = RequestMethod.GET)
public String getAllUsers(Model model) {
System.out.println("in getAll()");
users=ui.getAllUsers();
model.addAttribute("users", users);
return "allUsers";
}
@RequestMapping(value = { "/delete/{id}" }, method = RequestMethod.GET)
public String deleteUser(@PathVariable int id,Model model){
System.out.println("in delete()");
ui.deleteUser(id);
users=ui.getAllUsers();
model.addAttribute("users", users);
return "allUsers";
}
}
調度-servlet.xml中
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- Enables the Spring MVC @Controller programming model -->
<annotation-driven />
<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by @Controllers to .jsp resources in the /WEB-INF/views directory -->
<beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp" />
</beans:bean>
<context:component-scan base-package="com.nikunj.SpringMethodLevelAuthorization" />
</beans:beans>
彈簧security.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http auto-config="true">
<intercept-url pattern="/" access="hasRole('USER') or hasRole('ADMIN')" />
</http>
<!-- Eable method level security -->
<global-method-security pre-post-annotations="enabled"/>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="abdul" password="root123" authorities="ROLE_ADMIN"/>
<user name="nikunj" password="secret" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
的web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<!-- Processes application requests -->
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/dispatcher-servlet.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Spring Security Configuration -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
將'global-method-security'移動到'dispatcher-servlet.xml'並且不加載該文件兩次......目前您正在複製所有的bean。 –
當我移動全球方法的安全性來調度-servlet.xml中,我得到以下錯誤: 在這條線找到多個註釋: \t - 無法找到BeanDefinitionParser的元素[全球方法安全] \t - cvc- complex-type.2.4.c:匹配通配符是嚴格的,但是對於元素'global-method-security'沒有聲明。 \t - 配置問題:找不到元素[global-method-security]的BeanDefinitionParser違規資源:file [C:/ Users/gs-1048/Documents/ \t SpringSecurity/SpringMethodLevelAuthorization/src/main/webapp/WEB-INF/dispatcher-servlet.xml] –
當然,你必須添加securoity命名空間並相應地在'global-method-security'前添加。 –