2013-03-07 88 views
0

我试图实现一个角色层次结构,但它不想工作。除此之外,其他一切都很完美。这里是我的弹簧security.xml文件:Rolevoter无法正常工作

<?xml version="1.0" encoding="UTF-8"?> 
<beans:beans xmlns="http://www.springframework.org/schema/security" 
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:context="http://www.springframework.org/schema/context" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
      http://www.springframework.org/schema/beans/spring-beans-3.1.xsd 
      http://www.springframework.org/schema/security 
      http://www.springframework.org/schema/security/spring-security-3.1.xsd 
      http://www.springframework.org/schema/context 
      http://www.springframework.org/schema/context/spring-context.xsd"> 

<!-- Enable method-level security via annotations --> 
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled"/> 

<!-- Configure form-based authentication --> 
<http auto-config="true" use-expressions="true" entry-point-ref="securityEntryPoint" > 
    <intercept-url pattern="/resources/script/jquery-ui/**" access="permitAll" /> 
    <intercept-url pattern="/resources/script/jquery*" access="permitAll" /> 
    [....] 
    <intercept-url pattern="/**" access="isAuthenticated()" /> 

    <session-management invalid-session-url="/login.jsp?info=invalid" > 
     <concurrency-control max-sessions="1" session-registry-alias="sessionRegistry" expired-url="/login.jsp?info=expired" /> 
    </session-management> 

    <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=credentials" /> 

    <logout logout-url="/logout" invalidate-session="true" logout-success-url="/login.jsp" /> 

</http> 

<!-- Configure a spring security logger listener for logging authentication attempts. --> 
<beans:bean id="loggerListener" class="org.springframework.security.access.event.LoggerListener"/> 

<!-- Configure a delegating entry point --> 
<beans:bean id="securityEntryPoint" class="org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint"> 

    <!-- Requests of type text/html or application/xhtml+xml should be handled by form-based authentication --> 
    <beans:constructor-arg> 
     <beans:map> 
      <beans:entry> 
       <beans:key> 
        <beans:bean class="com.test.security.AcceptHeaderRequestMatcher"/> 
       </beans:key> 
       <beans:bean class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> 
        <beans:property name="loginFormUrl" value="/login.jsp" /> 
       </beans:bean> 
      </beans:entry> 
     </beans:map> 
    </beans:constructor-arg> 

    <!-- Otherwise use BASIC authentication by default --> 
    <beans:property name="defaultEntryPoint"> 
     <beans:bean class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint"> 
      <beans:property name="realmName" value="test Web Service" /> 
     </beans:bean> 
    </beans:property> 

</beans:bean> 

<!-- Configure an authentication manager via our defaultUserService --> 
<authentication-manager alias="authenticationManager"> 
    <authentication-provider user-service-ref="defaultUserService"> 
     <password-encoder hash="md5" /> 
    </authentication-provider> 
</authentication-manager> 

<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> 
    <beans:property name="decisionVoters"> 
     <beans:list> 
      <beans:ref bean="roleVoter" /> 
      <beans:ref bean="authenticatedVoter" /> 
     </beans:list> 
    </beans:property> 

<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter"> 
    <beans:constructor-arg ref="roleHierarchy" /> 
    <beans:property name="rolePrefix" value="" /> 
</beans:bean> 

<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl"> 
    <beans:property name="hierarchy"> 
     <beans:value> 
      PERM_READ_ALL_USER_LIST > PERM_READ_USER_LIST 
     </beans:value> 
    </beans:property> 
</beans:bean> 

如果我尝试访问该PERM_READ_USER_LIST要求,@PreAuthorize(“hasRole( 'PERM_READ_USER_LIST' 资源)“),拥有PERM_READ_ALL_USER_LIST的用户不起作用,但是如果他有PERM_READ_USER_LIST,它就可以工作。所以很明显,这位角色投票者没有做好工作,但我不明白为什么......

谢谢。

回答