我在Spring Security中使用角色層次結構,如我的question。當我嘗試確保使用@PreAuthorize("hasRole('ROLE_USER')")
的方法時,我總是得到AccessDeniedException。但是,如果我將其更改爲@Secured("ROLE_USER")
或@PreAuthorize and RoleHierarchyVoter
<protect-pointcut
expression="execution(* my.package.Class.*(..))"
access="ROLE_GUEST" />
我沒有問題。從這個answer,除了列出的差異,兩者應該表現相同。我在這裏錯過了什麼嗎?
編輯: 這是我的配置。
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http entry-point-ref="entryPoint">
<anonymous enabled="false" />
</http>
<beans:bean id="entryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<global-method-security secured-annotations="enabled"
pre-post-annotations="enabled" access-decision-manager-ref="accessDecisionManager">
<!-- this is disable if I secure with annotation @Secured -->
<protect-pointcut
expression="execution(* my.package.Class.*(..))"
access="ROLE_GUEST" />
</global-method-security>
<beans:bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:ref bean="roleHierarchyVoter" />
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="roleHierarchyVoter"
class="org.springframework.security.access.vote.RoleHierarchyVoter">
<beans:constructor-arg ref="roleHierarchy" />
</beans:bean>
<beans:bean id="roleHierarchy"
class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<beans:property name="hierarchy">
<beans:value>
ROLE_USER > ROLE_GUEST
</beans:value>
</beans:property>
</beans:bean>
<beans:bean id="userDetailsService"
class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<beans:property name="dataSource" ref="dataSource" />
<beans:property name="enableGroups" value="true" />
<beans:property name="enableAuthorities" value="false" />
</beans:bean>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
</authentication-provider>
</authentication-manager>
</beans:beans>
根據[documentation](http://static.springsource.org/spring-security/site/docs/3.1.x/reference/ns-config.html#ns-global-method),您必須啓用''global-method-security'元素中的'pre-post-annotations':''。你在做那個嗎? –
bluefoot
@bluefoot,是的,我添加了兩個安全註釋=「啓用」前後註釋=「啓用」 –