Hy。我想要做的是将Spring安全与Jsf + Spring IOC + Hibernate应用程序集成在一起。我设法设置了登录页面并过滤了其他一些页面。到目前为止,还是很棒的,但是当我试图将@Secured或@PreAuthorize对managedBean内部的方法进行注释(在Dao的注解工作中),我意识到他们什么都不做。我读过,我需要FORCE类代理。 Spring使用基于代理的aop,托管bean实现一个接口,因此使用jdk动态代理而不是类代理。所以,我在配置文件中这样做:Spring安全3.1 + JSF 2.0。 ManagedBeans中注释方法的问题?
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"**
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">
<aop:aspectj-autoproxy proxy-target-class="true"/>
//the rest of the beans
</beans>
ApplicationContext的安全XML看起来是这样的:
<?xml version="1.0" encoding="UTF-8"?>
<!-- - Sample namespace-based configuration - - $Id: applicationContext-security.xml
3019 2008-05-01 17:51:48Z luke_t $ -->
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
<http pattern="/css/**" security="none" />
<http pattern="/pages/login.xhtml" security="none" />
<http auto-config='false'>
<intercept-url pattern="/pages/customer/**" access='ROLE_SITE_ADMIN' />
<intercept-url pattern="/pages/department/overhead*" access='ROLE_SITE_ADMIN' />
<intercept-url pattern="/**"
access='ROLE_SITE_ADMIN,ROLE_PROJECT_MANAGER,ROLE_DEPARTMENT_MANAGER,ROLE_ACCOUNTING' />
<form-login login-page="/pages/login.xhtml"
default-target-url='/pages/reports.xhtml' always-use-default-target='true'
authentication-failure-handler-ref="userLoginService" />
<logout invalidate-session="true" logout-success-url="/pages/login.xhtml"/>
</http>
<authentication-manager>
<authentication-provider user-service-ref='userLoginService'>
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
<beans:bean id="userLoginService" class="com.evozon.demo.bean.SecureLoginService">
<beans:property name="defaultFailureUrl" value="/pages/login.xhtml" />
<beans:property name="userDao" ref="userDao" />
<beans:property name="loginReportDao" ref="loginReportDao" />
</beans:bean>
</beans:beans>
谁能告诉我,为什么标注不托管bean内工作,以及如何解决问题?例如:
@PreAuthorize("ROLE_PROJECT_MANAGER")
public void aproveVacation(Vacation vacation) {...}
THX