1. 首页
  2. 问答
  3. Spring安全方法HTTP应用程序中的安全级别

Spring安全方法HTTP应用程序中的安全级别

2010-07-24 159 views
2

我已经使用Spring Security在CAS应用程序中使用HTTP安全性工作在我的Web应用程序中。但是,我试图将它与某些服务方法(特别是GWT RPC)的方法级别安全性混合使用,但它似乎不起作用。它达到了执行@PostAuthorize注释的地步。但是,它似乎没有注意到我的配置,并执行了一些拒绝访问返回对象的其他方式。Spring安全方法HTTP应用程序中的安全级别

减少deployerConfigContext.xml通过org.springframework.web.context.ContextLoaderListener listener读取。

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
xmlns:security="http://www.springframework.org/schema/security" 
xmlns:context="http://www.springframework.org/schema/context" 
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:aop="http://www.springframework.org/schema/aop" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="schemaURLs here"> 

<security:http use-expressions="true" 
    entry-point-ref="casProcessingFilterEntryPoint"> 
    <security:intercept-url pattern="/casfailed.jsp" 
    requires-channel="any" access="permitAll" /> 
    <security:intercept-url pattern="/cas-logout.jsp" 
    requires-channel="any" access="permitAll" /> 
    <security:intercept-url pattern="/**" 
    access="isAuthenticated()" requires-channel="https" /> 
    <security:logout logout-success-url="/cas-logout.jsp" /> 
    <security:custom-filter ref="casAuthenticationFilter" 
    after="CAS_FILTER" /> 
</security:http> 

<security:authentication-manager alias="authenticationManager"> 
    <security:authentication-provider 
    ref="casAuthenticationProvider" /> 
</security:authentication-manager> 

<!-- setup method level security using annotations --> 
<security:global-method-security 
    jsr250-annotations="disabled" secured-annotations="enabled" 
    pre-post-annotations="enabled"> 
    <security:expression-handler ref="expressionHandler" /> 
</security:global-method-security> 

<bean id="expressionHandler" 
    class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"> 
    <property name="permissionEvaluator" ref="permissionEvaluator" /> 
</bean> 

<bean id="permissionEvaluator" 
    class="org.springframework.security.acls.AclPermissionEvaluator"> 
    <constructor-arg ref="aclService" /> 
</bean> 

<bean id="aclService" 
    class="my.custom.AclService"> 
    <constructor-arg> 
    <bean class="org.springframework.security.acls.domain.ConsoleAuditLogger" /> 
    </constructor-arg> 
    <constructor-arg> 
    <bean 
    class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl"> 
    <constructor-arg> 
    <list> 
     <bean 
     class="org.springframework.security.core.authority.GrantedAuthorityImpl"> 
     <constructor-arg value="ROLE_ADMINISTRATOR" /> 
     </bean> 
     <bean 
     class="org.springframework.security.core.authority.GrantedAuthorityImpl"> 
     <constructor-arg value="ROLE_ADMINISTRATOR" /> 
     </bean> 
     <bean 
     class="org.springframework.security.core.authority.GrantedAuthorityImpl"> 
     <constructor-arg value="ROLE_ADMINISTRATOR" /> 
     </bean> 
    </list> 
    </constructor-arg> 
    </bean> 
    </constructor-arg> 
</bean> 

<bean 
    class="org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor" /> 

<tx:annotation-driven transaction-manager="transactionManager" /> 

<bean id="systemEMF" 
    class="org.springframework.orm.jpa.LocalEntityManagerFactoryBean"> 
    <property name="persistenceUnitName" value="_persistenceunit_" /> 
</bean> 

<bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager"> 
    <property name="entityManagerFactory" ref="systemEMF" /> 
</bean> 
</beans>

我的AclService的bean被创建,但是之后没有执行它(我登录了每个方法)。我甚至不确定expressionHandler bean是否被使用。我需要移动一些东西到安全:http部分?

这里就是它得到执行的调试日志的部分:

2010-07-23 17:39:17,885 [org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource] DEBUG: @org.springframework.security.access.prepost.PostAuthorize(value=hasPermission(filterObject,'read')) found on specific method: public ReturnType my.rpc.RPCClass.getObject(java.lang.Long) 
    2010-07-23 17:39:17,885 [org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] DEBUG: Adding security method [CacheKey[my.rpc.RPCClass; public abstract ReturnType my.rpc.RPCClass.getObject(java.lang.Long)]] with attributes [[authorize: 'permitAll', filter: 'null', filterTarget: 'null'], [authorize: 'hasPermission(filterObject,'read')', filter: 'null']] 
    2010-07-23 17:39:17,885 [org.springframework.transaction.annotation.AnnotationTransactionAttributeSource] DEBUG: Adding transactional method 'getObject' with attribute: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; '',-java.lang.Throwable 
    2010-07-23 17:39:17,886 [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] DEBUG: Secure object: ReflectiveMethodInvocation: public abstract ReturnType my.rpc.RPCClass.getObject(java.lang.Long); target is of class [my.rpc.RPCClass]; Attributes: [[authorize: 'permitAll', filter: 'null', filterTarget: 'null'], [authorize: 'hasPermission(filterObject,'read')', filter: 'null']] 
    2010-07-23 17:39:17,886 [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] DEBUG: Previously Authenticated: org.spr[email protected]eeb49577: Principal: [email protected]: Username: kevin.jordan; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]0: RemoteIpAddress: 192.168.0.16; SessionId: HZFBB0B9768A164833B6C659177874FC9C; Granted Authorities: ROLE_USER Assertion: [email protected] Credentials (Service/Proxy Ticket): ST-27-lUehDttiUOLU041sBEio-cas 
    2010-07-23 17:39:17,890 [org.springframework.security.access.vote.AffirmativeBased] DEBUG: Voter: org.springframewor[email protected]52691fcf, returned: 1 
    2010-07-23 17:39:17,890 [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] DEBUG: Authorization successful 
    2010-07-23 17:39:17,890 [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] DEBUG: RunAsManager did not change Authentication object 
    2010-07-23 17:39:17,890 [org.springframework.beans.factory.support.DefaultListableBeanFactory] DEBUG: Returning cached instance of singleton bean 'transactionManager' 
    2010-07-23 17:39:17,890 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Creating new transaction with name [my.rpc.RPCClass.getObject]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; '',-java.lang.Throwable 
    2010-07-23 17:39:17,891 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Opened new EntityManager [[email protected]] for JPA transaction 
    2010-07-23 17:39:18,333 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Initiating transaction commit 
    2010-07-23 17:39:18,339 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Committing JPA transaction on EntityManager [[email protected]] 
    2010-07-23 17:39:18,342 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Closing JPA EntityManager [[email protected]] after transaction 
    2010-07-23 17:39:18,342 [org.springframework.orm.jpa.EntityManagerFactoryUtils] DEBUG: Closing JPA EntityManager 
    2010-07-23 17:39:18,343 [org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice] DEBUG: PostAuthorize expression rejected access

如果有人从它启动时需要的信息或任何东西让我知道。谢谢你的帮助!

来源

2010-07-24 kjordan

回答

0

可能您的呼叫不会被AOP代理拦截,因为方法是直接调用的(请参阅7.6.1 Understanding AOP proxies)。如果你注解了RemoteServiceServlet本身的方法,那肯定是如此。

您应该注释从RemoteServiceServlet称为服务bean的方法或使用spring4gwt

来源

2010-07-25 14:39:06 axtavt

+0

我没有调用服务bean。我试图确保实际的GWT RPC方法。在这种情况下,使用@PostAuthorize(“hasPermission(filterObject,'read')”)。问题是它似乎没有使用我的任何ACL服务对象。它只是自动否认。 – kjordan 2010-07-25 18:13:49

0

显然这是因为我在使用filterObject时应该是returnObject。

来源

2010-07-25 18:45:10 kjordan

相关问题

 相关问题