2013-02-18 134 views
0

我試圖使用Spring Security 3.1春季安全註解@Preauthoritze不工作

但是當我ROLE_USER權威

它不會做任何事情(註解@PreAuthorize( 「hasRole( 'ROLE_ADMIN')」 ))

我期運用春天3.1M和springsecurity 3.1

我需要做什麼嗎?

下面是我的springsecurity configulation代碼

<?xml version="1.0" encoding="UTF-8"?> 
    <beans xmlns="http://www.springframework.org/schema/beans" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xmlns:s="http://www.springframework.org/schema/security" 
     xsi:schemaLocation="http://www.springframework.org/schema/beans 
          http://www.springframework.org/schema/beans/spring-beans-3.1.xsd 
          http://www.springframework.org/schema/security 
          http://www.springframework.org/schema/security/spring-security-3.1.xsd"> 

     <s:global-method-security pre-post-annotations="enabled"> 
     <!-- <s:expression-handler ref="expressionHandler"/> --> 
     </s:global-method-security> 


     <s:http pattern="/css/**" security="none" /> 
     <s:http pattern="/js/**" security="none" /> 
     <s:http pattern="/favicon.ico" security="none" /> 
     <s:http pattern="/index.jsp" security="none" /> 

     <s:http auto-config="true" use-expressions="true" access-denied-page="/denied.jsp"> 

      <s:intercept-url pattern="/web/index" access="permitAll" /> 
      <s:intercept-url pattern="/web/**" access="isAuthenticated()"/> 
      <s:intercept-url pattern="/web/study/*" access="hasRole('ROLE_USER')"/> 

      <s:form-login /> 
      <s:logout /> 

      <s:session-management> 
       <s:concurrency-control 
        error-if-maximum-exceeded="true" max-sessions="1" expired-url="/expired.jsp" /> 
      </s:session-management> 
     </s:http> 

     <!-- Declare an authentication-manager to use a custom userDetailsService --> 
     <s:authentication-manager> 
      <s:authentication-provider user-service-ref="userDetailsService"> 
       <s:password-encoder ref="passwordEncoder" /> 
      </s:authentication-provider> 
     </s:authentication-manager> 

     <!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the 
      database --> 
     <bean 
      class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" 
      id="passwordEncoder" /> 

     <s:authentication-manager alias="authenticationManager"> 
      <!-- If you want to use a database, then you can use --> 
      <s:authentication-provider user-service-ref="userDetailsService"> 

       <s:password-encoder ref="passwordEncoder" /> 
      </s:authentication-provider> 
     </s:authentication-manager> 

    </beans> 

和contoroller代碼

package com.app.web.study.language.action; 

    import java.util.*; 

    import javax.annotation.Resource; 
    import javax.servlet.http.HttpServletRequest; 
    import org.slf4j.Logger; 
    import org.slf4j.LoggerFactory; 
    import org.springframework.security.access.annotation.Secured; 
    import org.springframework.security.access.prepost.PreAuthorize; 
    import org.springframework.stereotype.Controller; 
    import org.springframework.transaction.annotation.Transactional; 
    import org.springframework.ui.Model; 
    import org.springframework.web.bind.annotation.RequestMapping; 
    import org.springframework.web.bind.annotation.RequestMethod; 
    import org.springframework.web.bind.annotation.RequestParam; 
    import com.app.web.common.BaseController; 
    import com.app.web.study.language.service.impl.StudyServiceImpl; 

    @Controller 
    public class StudyController extends BaseController { 

     protected static Logger logger = LoggerFactory.getLogger("StudyController"); 

     @Resource(name="studyServiceImpl") 
     private StudyServiceImpl studyServiceImpl; 

     @PreAuthorize("hasRole('ROLE_ADMIN')") 
     @RequestMapping(value = "/study/list", method = RequestMethod.GET) 
     public String study(Locale locale 
          , Model model 
          , HttpServletRequest req) { 
      logger.info("study", locale); 

      HashMap<String, Object> parameters = new HashMap<String, Object>(); 
      List list = studyServiceImpl.getList(parameters); 

      model.addAttribute("ctx", getCrreuntUrl()); 
      model.addAttribute("list", list); 

      //model.addAttribute("activeUsers", getlistActiveUsers()); 

      return "base.study"; 
     } 

    } 
+0

你怎麼說它什麼都不做? – 2013-02-18 03:21:46

+0

當我的用戶權限登錄訪問URL(http:// localhost:8080 /網絡/研究/列表)... springsecurity無法檢查@preauthority註釋,,, – user1767190 2013-02-18 06:46:55

+0

最有可能的是,你有[這個問題]( http://stackoverflow.com/questions/2524962/spring-security-not-processing-pre-post-annotations?rq=1) – 2013-02-18 19:18:41

回答

0

你需要啓用目標類代理..

<s:global-method-security pre-post-annotations="enabled" proxy-target-class="true"/>