问题:
Spring security@Secure不使用角色层次结构
晋鹤轩
我正在spring security中使用角色层次结构我的spring-securityconfig.xml是
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<property name="hierarchy">
<value>
ROLE_ADMIN > ROLE_WORKFLOW
ROLE_ADMIN > ROLE_ISBN_INSERTION
ROLE_ADMIN > ROLE_PERMISSION_UPDATE
ROLE_ADMIN > ROLE_ASSIGNMENT
ROLE_ADMIN > ROLE_CALIBRATION
</value>
</property>
</bean>
<bean id="expressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<property name="roleHierarchy" ref="roleHierarchy" />
</bean>
<bean id="webExpressionHandler" class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler">
<ref bean="expressionHandler" />
</property>
</bean>
<bean id="roleVoter"
class="org.springframework.security.access.vote.RoleHierarchyVoter">
<constructor-arg>
<ref bean ="roleHierarchy"/>
</constructor-arg>
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<constructor-arg>
<list>
<ref bean="roleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
<ref bean="webExpressionHandler"/>
</list>
</constructor-arg>
</bean>
<bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/login.htm" />
</bean>
<security:http entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true" access-decision-manager-ref="accessDecisionManager">
<security:session-management>
<security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/>
</security:session-management>
<security:custom-filter position="FORM_LOGIN_FILTER"
ref="cdlAuthenticationProcessingFilter" />
<security:intercept-url pattern="/displayGroupRoleEditView.htm" access="ROLE_PERMISSION_UPDATE" />
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:access-denied-handler ref="accessDeniedHandler" />
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="cdlLdapAuthenticationProvider"/>
<security:authentication-provider user-service-ref="cdlUserDetailService"/>
</security:authentication-manager>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="cdlLdapAuthenticationProvider"/>
<security:authentication-provider user-service-ref="cdlUserDetailService"/>
</security:authentication-manager>
<bean name="commonPropertyBean" class="com.qait.cdl.commons.domain.CommonPropertyBean"
abstract="true">
<property name="userDao" ref="userDao"/>
</bean>
<bean name="commonAuthoritiesPopulator" class="com.qait.cdl.authentication.customfilter.AuthoritiesPopulator" parent ="commonPropertyBean" />
<bean id="cdlLdapAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg ref="customLdapBindAuthenticator"/>
<constructor-arg ref="cdlAuthoritiesPopulator"/>
</bean>
<bean id="customLdapBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="cdlLdapContextSource" />
<property name="userDnPatterns">
<list>
<value>${ldap.userDnPatterns}</value>
</list>
</property>
</bean>
<bean id="cdlLdapContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="${ldap.url}"/>
</bean>
<bean id="cdlAuthoritiesPopulator" class="com.qait.cdl.authentication.customfilter.CdlUserAuthoritiesPopulator" parent="commonAuthoritiesPopulator"/>
<bean id="cdlUserDetailService" class="com.qait.cdl.authentication.service.impl.UserDetailsServiceImpl" parent="commonAuthoritiesPopulator"/>
<bean id="cdlAuthenticationProcessingFilter" class="com.qait.cdl.authentication.customfilter.CustomAuthenticationProcessingFilter" parent="commonPropertyBean">
<property name="authenticationManager" ref="authenticationManager" />
<property name="notificationService" ref="notificationService"/>
<property name="userGroupDao" ref="userGroupDao"/>
</bean>
<bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<property name="errorPage" value="/cdlAccessDenied.htm" />
</bean>
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />
<bean name="/cdlAccessDenied.htm" class="com.qait.cdl.authentication.web.CDLAccessDeniedHandler"/>
</beans>
在一个服务方法中,我使用了@securited({“role_permission_update”})如果角色为ROLE_ADMIN的用户登录到应用程序并尝试访问此安全方法,则会引发拒绝访问异常。
共有1个答案
谢涵亮
<security:global-method-security secured-annotations="enabled"
pre-post-annotations="enabled">
<security:expression-handler ref="defaultMethodSecurityExpressionHandler"/>
</security:global-method-security>
添加
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
WEB-INF/applicationContext.xml
WEB-INF/dispatcher-servlet.xml
</param-value>
</context-param>
并在applicationcontext.xml中导入spring-security.xml的唯一目的是为spring Security提供单独的上下文。
若要应用基于方法的安全性来使用角色层次结构,请使用@preauthorize(“spel”)代替@securited({})
类似资料:
-
我的Grails是2.2.1 Java 1.7 Spring-security-core 1.2.7.3 Spring-security-ui 0.2 在Controller方法中,我使用@security(['role_user'])作为前言,当我以ROLE_ADMIN登录时,它会抛出一个权限错误。
-
我试图在一个带有spring security和KeyClope的java应用程序中同时使用领域和资源角色。不幸的是,KeyClope只会返回一个或另一个,具体取决于: 您仍然可以通过自定义代码获得这两种方法,但它会弄乱@PreAuthorize或spring boot方法等注释。isUserInRole,这会导致难看的代码。 有没有办法覆盖@PreAuthorize方法或JSON令牌Keyclo
-
如果有任何帮助,我将不胜感激。
-
本文向大家介绍使用递归[JavaScript]创建层次结构,包括了使用递归[JavaScript]创建层次结构的使用技巧和注意事项,需要的朋友参考一下 示例 输出
-
零售商店的正确模式是什么?公司从商店销售产品。 这似乎违反了我对OOP所知的全部知识。通过层次结构向下传递数据的方法--在对象之间复制参数?我错过了什么?
-
本规范定义了一个用于部署和打包用途的,可存在于开放文件系统、归档文件或一些其他形式中的层次结构。建议 servlet 容器支持这种结构作为运行时表示形式,但不是必须的.