@PreAuthorize在Spring上不起作用

我实现了spring security 3.2.5，但不幸的是@PreAuthorize对类和方法不起作用。从文档中读取时，如果用户在注释中指定了角色，@PreAuthorize应该允许方法和类工作，但是我能够运行所有方法或类而不会有任何角色差异。您可以看到security-config.xml和security.context.xml以及我在下面声明@PreAuthorize注释的类。如果你能帮我解决这个问题，我会很高兴。@PreAuthorize在Spring上不起作用

安全-config.xml中

<?xml version="1.0" encoding="UTF-8"?> 
<beans:beans 
xmlns="http://www.springframework.org/schema/security" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:beans="http://www.springframework.org/schema/beans" 
xsi:schemaLocation=" 
    http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-3.2.xsd 
    http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-4.0.xsd"> 

<http pattern="/securityNone" security="none" /> 

<http use-expressions="true"> 
    <intercept-url pattern="/**" access="isAuthenticated()" /> 
    <http-basic /> 
</http> 
<global-method-security pre-post-annotations="enabled" /> 


<authentication-manager> 
    <authentication-provider> 
     <user-service> 
      <user name="alperk" password="123" authorities="ROLE_USER" /> 
     </user-service> 
    </authentication-provider> 
</authentication-manager>

安全的context.xml

<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:sec="http://www.springframework.org/schema/security" 
    xsi:schemaLocation=" 
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans /spring-beans-3.1.xsd 
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> 

<bean id="defaultAuthEventPublisher"  class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher"/> 

<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager"> 
    <property name="providers"> 
     <list> 
      <ref bean="authenticationProvider"/> 
     </list> 
    </property> 
    <property name="authenticationEventPublisher" ref="defaultAuthEventPublisher"/> 
</bean> 
<!-- Authentication service reference --> 
<bean id="customUserDetailsService" class="tr.com.sistek.utak.authentication.AuthenticationUserDetailsService"/> 

<!-- Authentication yapilirken MD5 password sifreleme kullaniliyor --> 
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"/> 

<bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> 
    <property name="userDetailsService" ref="customUserDetailsService"/> 
    <!--<property name="passwordEncoder" ref="passwordEncoder"/>--> 
</bean> 

<bean id="authenticationSuccessHandler" class="tr.com.sistek.utak.authentication.CustomAuthenticationSuccessHandler"> 
    <property name="defaultTargetUrl" value="/faces/private/MainMenu.jsf"/> 
</bean> 

<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler"> 
    <property name="exceptionMappings"> 
     <props> 
      <prop key="org.springframework.security.authentication.BadCredentialsException">/login-failure.jsf?err=HATALI_PWD</prop> 
      <prop key="org.springframework.security.authentication.CredentialsExpiredException">/change-password.jsf</prop> 
      <prop key="org.springframework.security.authentication.LockedException">/login-failure.jsf?err=HESAP_KILITLI</prop> 
      <prop key="org.springframework.security.authentication.DisabledException">/login-failure.jsf?err=HESAP_PASIF</prop> 
     </props> 
    </property> 
</bean> 

<bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl"> 
    <property name="errorPage" value="/error401.jsf"/> 
</bean> 

<!-- Login Esnasinda Girilen Bilgileri Kontrol Etmek Icin Kullanilmistir --> 
<bean id="customPreAuthenticationLoginHandler" class="tr.com.sistek.utak.authentication.CustomPreAuthenticationLoginHandler"> 
    <property name="authenticationManager" ref="authenticationManager" /> 
    <property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" /> 
    <property name="authenticationFailureHandler" ref="authenticationFailureHandler" /> 
    <property name="filterProcessesUrl" value="/j_security_check" /> 

    <property name="sessionAuthenticationStrategy" ref="sas" /> 

    <property name="postOnly" value="false" /> 
</bean> 

<sec:http pattern="/assets/**" security="none"/> 
<sec:http pattern="/images/**" security="none"/> 
<sec:http pattern="/resources/**" security="none"/> 
<sec:http pattern="/themes/**" security="none"/> 
<sec:http pattern="/javax.faces.resource/**" security="none"/> 

<sec:global-method-security    
    pre-post-annotations="enabled" 
    mode="aspectj" 
    proxy-target-class="true"> 
</sec:global-method-security> 


<sec:http auto-config="true" use-expressions="true" 
      authentication-manager-ref="authenticationManager"> 


    <sec:intercept-url pattern="/dashboard/**" access="isAuthenticated()"/> 
    <sec:custom-filter before="FORM_LOGIN_FILTER" ref="customPreAuthenticationLoginHandler"/> 

    <sec:form-login login-page="/login.jsf" 
        authentication-failure-handler-ref = "authenticationFailureHandler" 
        default-target-url="/faces/private/MainMenu.jsf"/> 

    <sec:access-denied-handler ref = "accessDeniedHandler"/> 

    <sec:logout invalidate-session="true" 
       logout-success-url="/login.jsf" 
       logout-url="/logout"/> 

    <sec:session-management invalid-session-url="/login.jsf" session-authentication-strategy-ref="sas"/> 

    <sec:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" /> 

</sec:http> 


<bean id="jsfRedirectStrategy" class="tr.com.sistek.utak.jsf.filter.JsfRedirectStrategy"/> 

<bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/> 

<!-- Authentication logout handler --> 
<bean id="customAuthenticationLogoutHandler" class="tr.com.sistek.utak.authentication.CustomAuthenticationLogoutHandler"/> 

<!-- ******************************************************************* --> 
<!-- Concurrent Session Management Configuration--> 
<!-- ******************************************************************* --> 
<bean id="concurrencyFilter" 
     class="org.springframework.security.web.session.ConcurrentSessionFilter"> 
    <property name="sessionRegistry" ref="sessionRegistry" /> 
    <property name="expiredUrl" value="/session-expired.jsf" /> 
    <!-- this permits redirection to session timeout page from javascript/ajax or http --> 
    <property name="redirectStrategy" ref="jsfRedirectStrategy" /> 
</bean> 

<bean id="sas" class= "org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> 
    <constructor-arg name="sessionRegistry" ref="sessionRegistry" /> 
    <property name="maximumSessions" value="1" /> 
    <!--  <property name="alwaysCreateSession" value="true" /> 
    <property name="exceptionIfMaximumExceeded" value="true" />--> 
</bean> 

<bean id="sessionRegistry" 
     class="org.springframework.security.core.session.SessionRegistryImpl" />

豆：

@ManagedBean 
@ViewScoped 
@PreAuthorize("hasRole('ROLE_ADMIN')") 
public class OrderDetView implements Serializable {

......

来源

2014-12-02 user2307786

你是如何调用OrderDetView中的方法 – 6ton 2014-12-02 15:11:30

这仅仅是我的第一个想法：

注解@ManagedBean和@ViewScoped表明您使用JSF框架，也许你OrderDetView豆插件只是一个JSF豆但不一个春天的豆子。但@PreAuthorize只适用于春豆。

来源

2014-12-02 15:11:11 Ralph

准确拉尔夫。对不起，我错了。我正在改变我的问题。是否有可能在JSF bean上使用@PreAuthorize（我猜这不是我要求它确定的），还是将它转换为使用这种类型的美化学？如果你能帮助我，我会非常高兴 – user2307786 2014-12-02 15:46:09

你可以使它适用于任何类，但需要AspectJ并编译安全方面的时间。 – 2014-12-02 19:11:18

你好Deinum。正如我从你的立场理解的那样，你说在JSF托管Bean中使用AspectJ而不将你的bean转换成Spring Managed Bean。你能否提供一个使用AspectJ进行Jsf Managed Bean的示例？ – user2307786 2014-12-08 10:08:21

@PreAuthorize在Spring上不起作用

回答

相关问题