1. 首頁
  2. 問答
  3. 彈簧安全加法不起作用

彈簧安全加法不起作用

2014-03-26 120 views
0

我試過並嘗試過,但似乎我無法使彈簧安全註釋工作。我已經提到很多網站..我似乎無法看到我的代碼有什麼問題。任何幫助將非常感激彈簧安全加法不起作用

下面是春季安全XML

<security:global-method-security pre-post-annotations="enabled"/> 
<security:http auto-config="true" use-expressions="true"> 
    <security:intercept-url pattern="/login" access="permitAll" /> 
    <security:intercept-url pattern="/logout" access="permitAll" /> 
    <security:intercept-url pattern="/accessdenied" access="permitAll" /> 
    <security:intercept-url pattern="/**/*.css" access="permitAll" /> 
    <security:intercept-url pattern="/**/*.js" access="permitAll" /> 
    <security:intercept-url pattern="/**" access="hasRole('LANDING')" /> 
    <security:form-login login-page="/login" default-target-url="/landing" authentication-failure-url="/login" authentication-success-handler-ref="loginSuccesHandler" /> 
    <security:logout logout-success-url="/logout" /> 
</security:http>

,這裏是我的web.xml

<servlet> 
    <servlet-name>dispatcher</servlet-name> 
    <servlet-class>org.springframework.web.servlet.DispatcherServlet 
    </servlet-class> 
    <load-on-startup>1</load-on-startup> 
</servlet> 
<servlet-mapping> 
    <servlet-name>dispatcher</servlet-name> 
    <url-pattern>/</url-pattern> 
</servlet-mapping> 
<filter> 
    <filter-name>XSSFilter</filter-name> 
    <filter-class>simptex.my.core.security.filter.XSSFilter</filter-class> 
</filter> 
<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter> 
<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 
<filter-mapping> 
    <filter-name>XSSFilter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 
<context-param> 
    <param-name>contextConfigLocation</param-name> 
    <param-value> 
     /WEB-INF/dispatcher-servlet.xml 
     /WEB-INF/application-security.xml 
    </param-value> 
</context-param> 
<listener> 
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
</listener> 
<listener> 
    <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class> 
</listener>

這裏是Java代碼樣本

@PreAuthorize("hasAuthority('ROLE_TELLER')") 
@RequestMapping(value = "/urlxxxx" , method = RequestMethod.GET) 
public String controlerMethod(HttpServletRequest req, HttpSession session) { 


    return "urlxxxx"; 
}

來源

2014-03-26 vincent

回答

0

首先我認爲你使用的是錯誤的表達方式。根據Spring文檔here,我沒有看到hasAuthority()表達式。然而,有一個hasRole()表達式。所以在你的情況下,我相信你需要將註釋更改爲@PreAuthorize("hasRole('ROLE_TELLER')")

其次,春節文檔狀態:

要使用調用hasPermission()的表達式,你必須明確地配置PermissionEvaluator在你的應用環境

所以在您的安全XML配置使用以下bean聲明:

<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" />

然後將您的security:global-method-security定義更新爲l ook類似於:

<security:global-method-security pre-post-annotations="enabled"> 
    <security:expression-handler ref="expressionHandler"/> 
</security:global-method-security>

這應該足以讓默認的Spring Security註釋開箱即用。

來源

2014-03-26 16:14:20

相關問題

 相關問題