Spring Security + MVC註解非法參數異常

Question

我使用的是Spring MVC和spring security。

我有註解驅動控制器，並試圖添加安全註釋。

控制器代碼：

@Controller 
public class SomeController implements MessageSourceAware { 

    @Secured("ROLE_ADMIN") 
    @RequestMapping(value = "/somepage", method = RequestMethod.GET) 
    public String getPage(HttpServletRequest request, ModelMap model) { 
     // logic 
     return ADMIN_VIEW_NAME; 
    }

我spring-security.xml：

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xmlns:security="http://www.springframework.org/schema/security" 
     xsi:schemaLocation=" 
     http://www.springframework.org/schema/beans 
     http://www.springframework.org/schema/beans/spring-beans-3.1.xsd 
     http://www.springframework.org/schema/security 
     http://www.springframework.org/schema/security/spring-security-3.1.xsd"> 

    <security:global-method-security secured-annotations="enabled" /> 

    <security:http auto-config="true" use-expressions="true" access-denied-page="/denied"> 

     <security:intercept-url pattern="/login" access="permitAll"/> 
     <!--<security:intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')"/>--> 

     <security:form-login 
       login-page="/login" 
       authentication-failure-url="/login?error=true" 
       default-target-url="/index"/> 

     <security:logout 
       invalidate-session="true" 
       logout-success-url="/login" 
       logout-url="/logout"/> 

    </security:http> 

    <!-- Declare an authentication-manager to use a custom userDetailsService --> 
    <security:authentication-manager> 
     <security:authentication-provider user-service-ref="authManager"> 
      <security:password-encoder ref="passwordEncoder"/> 
     </security:authentication-provider> 
    </security:authentication-manager> 

    <!-- Use a SHA encoder since the user's passwords are stored as SHA in the database --> 
    <bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" id="passwordEncoder"/> 

    <!-- A custom service where Spring will retrieve users and their corresponding access levels --> 
    <bean id="authManager" class="some.package.AdminManager"/> 

</beans>

當我嘗試打開受保護的網頁我得到以下錯誤：

org.springframework.web.util.NestedServletException: Request processing failed; nested exception is java.lang.IllegalArgumentException: object is not an instance of declaring class 
HandlerMethod details: 
Controller [$Proxy139] 
Method [public java.lang.String SomeController.getPage(javax.servlet.http.HttpServletRequest,org.springframework.ui.ModelMap)] 
Resolved arguments: 
[0] [type=org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper] [value=SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.connector.RequestFacade@7a31c825]]] 
[1] [type=org.springframework.validation.support.BindingAwareModelMap] [value={}]

如果我刪除安全註釋和取消註釋以下在spring-security.xml行：

<security:intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')"/>

一切工作正常。

謝謝你的幫助。

Answer 1

移動

<security:global-method-security secured-annotations="enabled" /> 

從彈簧security.xml文件由主調度的servlet，通常類似於servlet的context.xml中或應用context.xml中引用的XML文件

看到這裏 http://static.springsource.org/spring-security/site/faq/faq.html#faq-method-security-in-web-context

另外，我覺得你需要添加「代理目標類=‘真’」全球法，安全註解以及像

<security:global-method-security secured-annotations="enabled" proxy-target-class="true"/>