1. 首頁
  2. 問答
  3. Spring安全方法HTTP應用程序中的安全級別

Spring安全方法HTTP應用程序中的安全級別

2010-07-24 162 views
2

我已經使用Spring Security在CAS應用程序中使用HTTP安全性工作在我的Web應用程序中。但是,我試圖將它與某些服務方法(特別是GWT RPC)的方法級別安全性混合使用,但它似乎不起作用。它達到了執行@PostAuthorize註釋的地步。但是,它似乎沒有注意到我的配置,並執行了一些拒絕訪問返回對象的其他方式。Spring安全方法HTTP應用程序中的安全級別

減少deployerConfigContext.xml通過org.springframework.web.context.ContextLoaderListener listener讀取。

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
xmlns:security="http://www.springframework.org/schema/security" 
xmlns:context="http://www.springframework.org/schema/context" 
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:aop="http://www.springframework.org/schema/aop" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="schemaURLs here"> 

<security:http use-expressions="true" 
    entry-point-ref="casProcessingFilterEntryPoint"> 
    <security:intercept-url pattern="/casfailed.jsp" 
    requires-channel="any" access="permitAll" /> 
    <security:intercept-url pattern="/cas-logout.jsp" 
    requires-channel="any" access="permitAll" /> 
    <security:intercept-url pattern="/**" 
    access="isAuthenticated()" requires-channel="https" /> 
    <security:logout logout-success-url="/cas-logout.jsp" /> 
    <security:custom-filter ref="casAuthenticationFilter" 
    after="CAS_FILTER" /> 
</security:http> 

<security:authentication-manager alias="authenticationManager"> 
    <security:authentication-provider 
    ref="casAuthenticationProvider" /> 
</security:authentication-manager> 

<!-- setup method level security using annotations --> 
<security:global-method-security 
    jsr250-annotations="disabled" secured-annotations="enabled" 
    pre-post-annotations="enabled"> 
    <security:expression-handler ref="expressionHandler" /> 
</security:global-method-security> 

<bean id="expressionHandler" 
    class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"> 
    <property name="permissionEvaluator" ref="permissionEvaluator" /> 
</bean> 

<bean id="permissionEvaluator" 
    class="org.springframework.security.acls.AclPermissionEvaluator"> 
    <constructor-arg ref="aclService" /> 
</bean> 

<bean id="aclService" 
    class="my.custom.AclService"> 
    <constructor-arg> 
    <bean class="org.springframework.security.acls.domain.ConsoleAuditLogger" /> 
    </constructor-arg> 
    <constructor-arg> 
    <bean 
    class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl"> 
    <constructor-arg> 
    <list> 
     <bean 
     class="org.springframework.security.core.authority.GrantedAuthorityImpl"> 
     <constructor-arg value="ROLE_ADMINISTRATOR" /> 
     </bean> 
     <bean 
     class="org.springframework.security.core.authority.GrantedAuthorityImpl"> 
     <constructor-arg value="ROLE_ADMINISTRATOR" /> 
     </bean> 
     <bean 
     class="org.springframework.security.core.authority.GrantedAuthorityImpl"> 
     <constructor-arg value="ROLE_ADMINISTRATOR" /> 
     </bean> 
    </list> 
    </constructor-arg> 
    </bean> 
    </constructor-arg> 
</bean> 

<bean 
    class="org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor" /> 

<tx:annotation-driven transaction-manager="transactionManager" /> 

<bean id="systemEMF" 
    class="org.springframework.orm.jpa.LocalEntityManagerFactoryBean"> 
    <property name="persistenceUnitName" value="_persistenceunit_" /> 
</bean> 

<bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager"> 
    <property name="entityManagerFactory" ref="systemEMF" /> 
</bean> 
</beans>

我的AclService的bean被創建,但是之後沒有執行它(我登錄了每個方法)。我甚至不確定expressionHandler bean是否被使用。我需要移動一些東西到安全:http部分?

這裏就是它得到執行的調試日誌的部分:

2010-07-23 17:39:17,885 [org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource] DEBUG: @org.springframework.security.access.prepost.PostAuthorize(value=hasPermission(filterObject,'read')) found on specific method: public ReturnType my.rpc.RPCClass.getObject(java.lang.Long) 
    2010-07-23 17:39:17,885 [org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] DEBUG: Adding security method [CacheKey[my.rpc.RPCClass; public abstract ReturnType my.rpc.RPCClass.getObject(java.lang.Long)]] with attributes [[authorize: 'permitAll', filter: 'null', filterTarget: 'null'], [authorize: 'hasPermission(filterObject,'read')', filter: 'null']] 
    2010-07-23 17:39:17,885 [org.springframework.transaction.annotation.AnnotationTransactionAttributeSource] DEBUG: Adding transactional method 'getObject' with attribute: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; '',-java.lang.Throwable 
    2010-07-23 17:39:17,886 [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] DEBUG: Secure object: ReflectiveMethodInvocation: public abstract ReturnType my.rpc.RPCClass.getObject(java.lang.Long); target is of class [my.rpc.RPCClass]; Attributes: [[authorize: 'permitAll', filter: 'null', filterTarget: 'null'], [authorize: 'hasPermission(filterObject,'read')', filter: 'null']] 
    2010-07-23 17:39:17,886 [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] DEBUG: Previously Authenticated: org.spr[email protected]eeb49577: Principal: [email protected]: Username: kevin.jordan; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]0: RemoteIpAddress: 192.168.0.16; SessionId: HZFBB0B9768A164833B6C659177874FC9C; Granted Authorities: ROLE_USER Assertion: [email protected] Credentials (Service/Proxy Ticket): ST-27-lUehDttiUOLU041sBEio-cas 
    2010-07-23 17:39:17,890 [org.springframework.security.access.vote.AffirmativeBased] DEBUG: Voter: org.springframewor[email protected]52691fcf, returned: 1 
    2010-07-23 17:39:17,890 [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] DEBUG: Authorization successful 
    2010-07-23 17:39:17,890 [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] DEBUG: RunAsManager did not change Authentication object 
    2010-07-23 17:39:17,890 [org.springframework.beans.factory.support.DefaultListableBeanFactory] DEBUG: Returning cached instance of singleton bean 'transactionManager' 
    2010-07-23 17:39:17,890 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Creating new transaction with name [my.rpc.RPCClass.getObject]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; '',-java.lang.Throwable 
    2010-07-23 17:39:17,891 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Opened new EntityManager [[email protected]] for JPA transaction 
    2010-07-23 17:39:18,333 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Initiating transaction commit 
    2010-07-23 17:39:18,339 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Committing JPA transaction on EntityManager [[email protected]] 
    2010-07-23 17:39:18,342 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Closing JPA EntityManager [[email protected]] after transaction 
    2010-07-23 17:39:18,342 [org.springframework.orm.jpa.EntityManagerFactoryUtils] DEBUG: Closing JPA EntityManager 
    2010-07-23 17:39:18,343 [org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice] DEBUG: PostAuthorize expression rejected access

如果有人從它啓動時需要的信息或任何東西讓我知道。謝謝你的幫助!

來源

2010-07-24 kjordan

回答

0

可能您的呼叫不會被AOP代理攔截,因爲方法是直接調用的(請參閱7.6.1 Understanding AOP proxies)。如果你註解了RemoteServiceServlet本身的方法,那肯定是如此。

您應該註釋從RemoteServiceServlet稱爲服務bean的方法或使用spring4gwt

來源

2010-07-25 14:39:06 axtavt

+0

我沒有調用服務bean。我試圖確保實際的GWT RPC方法。在這種情況下,使用@PostAuthorize(「hasPermission(filterObject,'read')」)。問題是它似乎沒有使用我的任何ACL服務對象。它只是自動否認。 – kjordan 2010-07-25 18:13:49

0

顯然這是因爲我在使用filterObject時應該是returnObject。

來源

2010-07-25 18:45:10 kjordan

相關問題

 相關問題