1. 首頁
  2. 問答
  3. @PreAuthorize and RoleHierarchyVoter

@PreAuthorize and RoleHierarchyVoter

2011-10-24 31 views
2

我在Spring Security中使用角色層次結構,如我的question。當我嘗試確保使用@PreAuthorize("hasRole('ROLE_USER')")的方法時,我總是得到AccessDeniedException。但是,如果我將其更改爲@Secured("ROLE_USER")@PreAuthorize and RoleHierarchyVoter

<protect-pointcut 
     expression="execution(* my.package.Class.*(..))" 
     access="ROLE_GUEST" />

我沒有問題。從這個answer,除了列出的差異,兩者應該表現相同。我在這裏錯過了什麼嗎?

編輯: 這是我的配置。

<?xml version="1.0" encoding="UTF-8"?> 
<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:context="http://www.springframework.org/schema/context" 
    xsi:schemaLocation=" 
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
     http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd 
     http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 

    <http entry-point-ref="entryPoint"> 
    <anonymous enabled="false" /> 
    </http> 

    <beans:bean id="entryPoint" 
    class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" /> 

    <global-method-security secured-annotations="enabled" 
    pre-post-annotations="enabled" access-decision-manager-ref="accessDecisionManager"> 
    <!-- this is disable if I secure with annotation @Secured --> 
    <protect-pointcut 
     expression="execution(* my.package.Class.*(..))" 
     access="ROLE_GUEST" /> 
    </global-method-security> 

    <beans:bean id="accessDecisionManager" 
    class="org.springframework.security.access.vote.AffirmativeBased"> 
    <beans:property name="decisionVoters"> 
     <beans:list> 
     <beans:ref bean="roleHierarchyVoter" /> 
     </beans:list> 
    </beans:property> 
    </beans:bean> 

    <beans:bean id="roleHierarchyVoter" 
    class="org.springframework.security.access.vote.RoleHierarchyVoter"> 
    <beans:constructor-arg ref="roleHierarchy" /> 
    </beans:bean> 

    <beans:bean id="roleHierarchy" 
    class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl"> 
    <beans:property name="hierarchy"> 
     <beans:value> 
     ROLE_USER > ROLE_GUEST 
     </beans:value> 
    </beans:property> 
    </beans:bean> 

    <beans:bean id="userDetailsService" 
    class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> 
    <beans:property name="dataSource" ref="dataSource" /> 
    <beans:property name="enableGroups" value="true" /> 
    <beans:property name="enableAuthorities" value="false" /> 
    </beans:bean> 

    <authentication-manager> 
    <authentication-provider user-service-ref="userDetailsService"> 
    </authentication-provider> 
    </authentication-manager> 

</beans:beans>

來源

2011-10-24 Lee Chee Kiam

+0

根據[documentation](http://static.springsource.org/spring-security/site/docs/3.1.x/reference/ns-config.html#ns-global-method),您必須啓用''global-method-security'元素中的'pre-post-annotations':''。你在做那個嗎? – bluefoot

+0

@bluefoot,是的,我添加了兩個安全註釋=「啓用」前後註釋=「啓用」 –

回答

0

我不太確定你的配置是怎麼樣的,因爲你指的是另一篇文章。解決方案可能很簡單。離開了access-decision-manager-ref爲:

<sec:global-method-security 
    secured-annotations="enabled" pre-post-annotations="enabled" />

在實踐中,如果正在使用方法,安全Pre*/Post*註釋,基於選民的系統是不是真的有必要。實際上根本沒有選民,所有其他選民都棄權,並且拒絕接觸。

來源

2011-10-24 22:20:26 jeha

+0

如果我刪除RoleHierarchyVoter或access-decision-manager-ref,我將得到AccessDeniedException。 –

+0

@CKLee:請發佈您的完整彈簧配置 – jeha

+0

添加我的配置。 –

相關問題

 相關問題