爲什麼我的自定義PermissionEvaluator未被調用？

Question

我正在爲我的Spring Security配置而苦苦掙扎，至今我還無法完成它。 我不知道爲什麼我的自定義PermissionEvaluator沒有被調用，並且我的@PreAuthorize註釋使用hasPermission表達式被忽略。

我使用Spring 4.2.4和Spring 4.1.0安全

她是我的代碼：

Web安全配置

@Configuration 
@EnableWebSecurity 
public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter { 
    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http // 
       .addFilterBefore(wafflePreAuthFilter(), AbstractPreAuthenticatedProcessingFilter.class) // 
       .authenticationProvider(preauthAuthProvider()) // 
       .csrf().disable() // 
       .authorizeRequests() // 
       .antMatchers("/ui/**").authenticated() // 
       .anyRequest().permitAll(); 
    } 

    @Bean 
    public WafflePreAuthFilter wafflePreAuthFilter() throws Exception { 
     WafflePreAuthFilter filter = new WafflePreAuthFilter(); 
     filter.setAuthenticationManager(authenticationManager()); 
     return filter; 
    } 

    @Bean 
    public PreAuthenticatedAuthenticationProvider preauthAuthProvider() { 
     PreAuthenticatedAuthenticationProvider preauthAuthProvider = new PreAuthenticatedAuthenticationProvider(); 
     preauthAuthProvider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper()); 
     return preauthAuthProvider; 
    } 

    @Bean 
    public UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> userDetailsServiceWrapper() { 
     UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(); 
     wrapper.setUserDetailsService(myUserDetailsService()); 
     return wrapper; 
    } 

    @Bean 
    public UserDetailsService myUserDetailsService() { 
     return new myUserDetailsService(); 
    } 
} 

方法安全配置

@Configuration 
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, proxyTargetClass = true) 
public class MyServiceMethodSecurityConfig extends GlobalMethodSecurityConfiguration { 
    @Bean 
    public PermissionEvaluator myPermissionEvaluator() { 
     return new DcePermissionEvaluator(); 
    } 

    @Override 
    public MethodSecurityExpressionHandler createExpressionHandler() { 
     DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler(); 
     expressionHandler.setPermissionEvaluator(myPermissionEvaluator()); 
     return expressionHandler; 
    } 
} 

PermissionEvaluator

public class MyPermissionEvaluator implements PermissionEvaluator { 
    @Autowired 
    private MyService myAutowiredService; 

    @Override 
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { 
     // checking permissions 
     return true; 
    } 

    @Override 
    public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) { 
     // checking permissions 
     return true; 
    } 
} 

任何人都可以給我做什麼的暗示？

通過，如果我改變MyServiceMethodSecurityConfig到這個問題的方法，然後myPermissionEvaluator被處理，但依賴關係它不是由Spring管理注射不起作用：

@Configuration 
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, proxyTargetClass = false) 
public class MyServiceMethodSecurityConfig extends GlobalMethodSecurityConfiguration { 

    @Override 
    public MethodSecurityExpressionHandler createExpressionHandler() { 
     DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler(); 
     expressionHandler.setPermissionEvaluator(new DcePermissionEvaluator()); 
     return expressionHandler; 
    } 
} 

Answer 1

我就遇到了這個問題。它似乎是由多個地方指定的註釋@EnableGlobalMethodSecurity引起的。

一旦我從其他地方刪除它，我的GlobalMethodSecurityConfiguration實現就開始按預期工作。